git.stella-ops.org/docs/full-features-list.md

# Full Features List - Stella Ops

> **Comprehensive catalog of every capability in the Stella Ops platform.**
>
> For quick capability cards with competitive differentiation, see [`key-features.md`](key-features.md).
> For tier-based availability (Free/Community/Enterprise), see [`04_FEATURE_MATRIX.md`](04_FEATURE_MATRIX.md).

---

## Table of Contents

1. [Core Platform Differentiators](#1-core-platform-differentiators)
2. [Container Image Scanning](#2-container-image-scanning)
3. [SBOM Capabilities](#3-sbom-capabilities)
4. [Language Analyzers](#4-language-analyzers)
5. [Vulnerability Detection](#5-vulnerability-detection)
6. [Advisory Sources](#6-advisory-sources)
7. [VEX Processing](#7-vex-processing)
8. [Reachability Analysis](#8-reachability-analysis)
9. [Binary Analysis](#9-binary-analysis)
10. [Policy Engine](#10-policy-engine)
11. [Attestation & Signing](#11-attestation--signing)
12. [Regional Cryptography](#12-regional-cryptography)
13. [Risk Scoring & Assessment](#13-risk-scoring--assessment)
14. [Evidence Management](#14-evidence-management)
15. [Determinism & Reproducibility](#15-determinism--reproducibility)
16. [CLI Features](#16-cli-features)
17. [Web UI Features](#17-web-ui-features)
18. [Offline & Air-Gap Operations](#18-offline--air-gap-operations)
19. [Deployment Options](#19-deployment-options)
20. [Authentication & Authorization](#20-authentication--authorization)
21. [Integrations & Notifications](#21-integrations--notifications)
22. [Observability & Telemetry](#22-observability--telemetry)
23. [Scheduling & Automation](#23-scheduling--automation)
24. [Version Comparison](#24-version-comparison)
25. [Database & Storage](#25-database--storage)
26. [API Capabilities](#26-api-capabilities)
27. [Support & Services](#27-support--services)

---

## 1. Core Platform Differentiators

These are the fundamental capabilities that distinguish Stella Ops from other vulnerability scanners.

### 1.1 Decision Capsules

- **Audit-grade evidence bundles** containing everything needed to reproduce and verify vulnerability decisions
- Content-addressed bundles with exact SBOM, frozen feed snapshots (with Merkle roots), policy version, lattice rules
- Evidence includes reachability proofs (static + runtime), VEX statements, binary fingerprints
- Outputs include verdicts, risk scores, remediation paths
- DSSE signatures over all components
- Six-month-later replay: `stella replay srm.yaml --assert-digest <sha>` produces identical results

### 1.2 Deterministic Replay

- **Bit-for-bit reproducible scans** from frozen feeds and analyzer manifests
- Replay Manifest (SRM) captures exact analyzer inputs/outputs per layer
- Feed snapshots (NVD, KEV, EPSS, distro advisories) with content hashes
- Frozen analyzer versions and configurations
- Frozen policy rules and lattice state
- Random seeds for deterministic ordering

### 1.3 VEX-First Decisioning (K4 Lattice Logic)

- **Belnap K4 four-valued logic** (Unknown, True, False, Conflict)
- VEX as logical claims with trust weighting, not suppression files
- Conflicts are explicit state, not hidden
- Vendor + runtime + reachability merged with conflicts surfaced
- Unknown treated as first-class state with risk implications

### 1.4 Signed Reachability Proofs

- **Three-layer validation** with cryptographic binding
- Every reachability graph sealed with DSSE
- Optional edge-bundle attestations for contested paths
- Proves exploitability with exact call paths from entrypoint to vulnerable function

### 1.5 Sovereign Offline Operation

- **Full functionality without network**
- Air-gapped environments get identical results to connected
- Offline Update Kits bundle everything needed
- Epistemic parity (sealed, reproducible knowledge state)

### 1.6 Smart-Diff (Semantic Risk Delta)

- **Diff security meaning, not CVE counts**
- Compare reachability graphs, policy outcomes, and trust weights between releases
- Output like "Exploitability DECREASED by 67% despite +2 CVEs"
- Material change detection for informed decision-making

### 1.7 Unknowns as First-Class State

- **Explicit modeling of uncertainty**
- Hot/Warm/Cold/Resolved bands for uncertainty tracking
- Decay algorithms for uncertainty resolution
- Blast-radius containment
- Policy budgets ("fail if unknowns > N")

---

## 2. Container Image Scanning

### 2.1 Image Formats

- OCI container images
- Docker images
- Container filesystem archives
- Rootfs directories
- Layer-by-layer analysis

### 2.2 Scanning Modes

- **Quick Mode**: Fast scan for basic vulnerabilities
- **Standard Mode**: Balanced scan with full vulnerability detection
- **Deep Mode**: Comprehensive analysis with reachability and binary analysis

### 2.3 Base Image Detection

- Automatic base image identification
- Base image layer separation
- Inherited vs. application-added package differentiation

### 2.4 Layer-Aware Analysis

- Per-layer package detection
- Layer change tracking
- Delta analysis between layers
- Content-addressed layer caching

### 2.5 Registry Integration

- Pull images by digest (content-addressed)
- Registry authentication support
- Private registry support
- Registry mirror support for offline operation

### 2.6 Scan Performance

- Delta-SBOM cache for warm scans < 1 second
- Concurrent scan workers (1/3/unlimited by tier)
- Content-addressed layer caching
- Incremental analysis for unchanged layers

---

## 3. SBOM Capabilities

### 3.1 SBOM Formats Supported

- **CycloneDX 1.7** (primary output format)
- **CycloneDX 1.6** (backward compatible ingest)
- **SPDX 3.0.1** (full support)
- **SPDX-JSON** (ingest)
- **Trivy-JSON** (ingest)

### 3.2 SBOM Generation

- Automatic SBOM generation from container images
- Package extraction from all supported ecosystems
- Dependency relationship mapping
- Component metadata extraction
- License detection

### 3.3 SBOM Ingestion

- Auto-format detection
- Bring-Your-Own-SBOM (BYOS) support
- Third-party SBOM import
- Validation and normalization

### 3.4 Delta-SBOM Engine

- Content-addressed catalog
- Layer-aware ingestion
- Rescans only fetch new layers
- Warm scans < 1 second

### 3.5 SBOM Diff

- Semantic SBOM comparison
- Package addition/removal detection
- Version change tracking
- License change detection

### 3.6 SBOM Lineage Ledger (Enterprise)

- Full versioned SBOM history
- Lineage tracking across builds
- Traversal queries via Lineage API
- Audit trail for SBOM changes

### 3.7 SBOM Service

- Central SBOM storage and versioning
- Content-addressed storage
- SBOM deduplication
- Retention policies

---

## 4. Language Analyzers

### 4.1 .NET/C# Analyzer

- NuGet package detection
- packages.config parsing
- .csproj/Directory.Build.props parsing
- .NET SDK version detection
- Framework dependency mapping
- Assembly metadata extraction

### 4.2 Java Analyzer

- Maven dependency resolution (pom.xml)
- Gradle build file parsing (build.gradle, build.gradle.kts)
- JAR/WAR/EAR analysis
- MANIFEST.MF parsing
- Java version detection
- Spring Boot dependency detection

### 4.3 Go Analyzer

- go.mod/go.sum parsing
- Go module dependency resolution
- Go version detection
- Vendor directory analysis
- Binary build info extraction

### 4.4 Python Analyzer

- requirements.txt parsing
- Pipfile/Pipfile.lock parsing
- pyproject.toml parsing
- setup.py analysis
- Poetry lockfile support
- Conda environment parsing
- pip freeze output parsing

### 4.5 Node.js Analyzer

- package.json/package-lock.json parsing
- yarn.lock parsing
- pnpm-lock.yaml parsing
- npm shrinkwrap support
- Node.js version detection
- Workspace/monorepo support

### 4.6 Ruby Analyzer

- Gemfile/Gemfile.lock parsing
- Ruby version detection
- Bundler version detection
- Gem specification parsing

### 4.7 Bun Analyzer

- bun.lockb parsing
- package.json processing
- Bun-specific dependency resolution

### 4.8 Deno Analyzer

- deno.json parsing
- Import map resolution
- URL-based dependency tracking
- deno.lock parsing

### 4.9 PHP Analyzer

- composer.json/composer.lock parsing
- PHP version detection
- Packagist dependency resolution

### 4.10 Rust Analyzer

- Cargo.toml/Cargo.lock parsing
- Rust edition detection
- Crates.io dependency resolution
- Build target analysis

### 4.11 Native Binary Analyzer

- ELF binary analysis (Linux)
- PE binary analysis (Windows)
- Mach-O binary analysis (macOS)
- Build-ID extraction
- Symbol table parsing
- Dynamic library dependency detection

---

## 5. Vulnerability Detection

### 5.1 CVE Matching

- CVE lookup via local database
- Package-to-CVE mapping
- Version range matching
- PURL-based matching

### 5.2 Vulnerability Scoring

- CVSS v4.0 display
- CVSS v3.1 support
- CVSS v2.0 legacy support
- EPSS v4 probability scoring
- Priority band classification

### 5.3 Exploitability Assessment

- KEV (Known Exploited Vulnerabilities) flagging
- EPSS probability integration
- Reachability-aware prioritization
- VEX status consideration

### 5.4 License Risk Detection (Planned)

- License identification
- License compatibility analysis
- License risk scoring
- Copyleft detection

---

## 6. Advisory Sources

### 6.1 Primary Sources

- **NVD** (National Vulnerability Database)
- **GHSA** (GitHub Security Advisories)
- **OSV** (Open Source Vulnerabilities)
- **KEV** (Known Exploited Vulnerabilities)
- **EPSS v4** (Exploit Prediction Scoring System)

### 6.2 Distribution-Specific Sources

- **Alpine SecDB**
- **Debian Security Tracker**
- **Ubuntu USN** (Ubuntu Security Notices)
- **RHEL/CentOS OVAL** (Community/Enterprise)

### 6.3 Advisory Processing (Concelier)

- Multi-source advisory ingestion
- Advisory normalization
- Duplicate detection
- Conflict resolution
- Advisory merge engine (Enterprise)
- Custom advisory connectors (Enterprise)

### 6.4 Feed Management

- Automated feed updates
- Feed mirroring for offline operation
- Feed snapshot versioning
- Content-addressed feed storage

---

## 7. VEX Processing

### 7.1 VEX Formats Supported

- **OpenVEX** (primary format)
- **CycloneDX VEX**
- **CSAF VEX** (Community/Enterprise)

### 7.2 VEX Ingestion (Excititor)

- Multi-format VEX import
- VEX validation
- VEX normalization
- Statement extraction

### 7.3 VEX Consensus Engine (VexLens)

- Trust vector scoring (Precision/Coverage/Recency)
- Claim strength multipliers
- Freshness decay algorithms
- Conflict detection and penalty (K4 lattice logic)
- Multi-issuer statement aggregation

### 7.4 Trust Weighting

- Issuer trust scoring
- Statement freshness weighting
- Claim strength assessment
- Conflict penalty calculation

### 7.5 VEX Conflict Resolution

- K4 four-valued logic (Unknown/True/False/Conflict)
- Conflict surfacing (not hiding)
- Visual conflict resolution (VEX Conflict Studio UI)
- Deterministic outcome selection

### 7.6 VEX Hub

- VEX distribution and exchange
- Internal VEX network
- VEX statement sharing
- VEX propagation across supply chain

### 7.7 Issuer Directory

- Issuer trust registry
- CSAF publisher management
- Trust root configuration
- Issuer metadata storage

### 7.8 Trust Calibration Service (Enterprise)

- Organization-specific trust tuning
- Custom trust weightings
- Historical trust analysis

---

## 8. Reachability Analysis

### 8.1 Static Call Graph

- Function-level call graph construction
- Cross-module call tracking
- Entry point identification
- Path enumeration

### 8.2 Entrypoint Detection

- 9+ framework types supported
- HTTP endpoints
- CLI entry points
- Event handlers
- Message consumers
- Scheduled tasks

### 8.3 BFS Reachability

- Breadth-first path search
- Shortest path calculation
- All paths enumeration
- Path filtering

### 8.4 Three-Layer Reachability Proofs

- **Layer 1 (Static)**: Call graph path from entrypoint to vulnerable function
- **Layer 2 (Binary)**: Compiled binary contains symbol with matching offset
- **Layer 3 (Runtime)**: eBPF probe confirms function execution

### 8.5 Confidence Tiers

- **Confirmed**: All three layers agree
- **Likely**: Static + binary agree; no runtime data
- **Present**: Package present; no reachability evidence
- **Unreachable**: Static analysis proves no path exists

### 8.6 Binary Loader Resolution (Community/Enterprise)

- ELF dynamic linking resolution
- PE import table analysis
- Mach-O load command parsing

### 8.7 Feature Flag/Config Gating (Community/Enterprise)

- Configuration-based path analysis
- Feature flag detection
- Conditional path evaluation

### 8.8 Runtime Signal Correlation (Enterprise)

- Zastava integration for runtime signals
- eBPF-based function tracing
- Actual execution path verification

### 8.9 Gate Detection (Enterprise)

- Authentication gate detection
- Authorization check identification
- Admin-only path detection

### 8.10 Path Witness Generation (Enterprise)

- Audit evidence for reachability claims
- Detailed path documentation
- Witness verification

### 8.11 Reachability Drift Detection

- Cross-version reachability comparison
- Path change detection
- Risk delta calculation

### 8.12 Reachability Mini-Map API (Enterprise)

- UI visualization data
- Compact graph representation
- Interactive exploration support

### 8.13 Runtime Timeline API (Enterprise)

- Temporal execution analysis
- Time-based function tracking
- Historical runtime data

---

## 9. Binary Analysis

### 9.1 Binary Identity Extraction

- Build-ID extraction
- SHA-256 hash computation
- Content-addressed identification
- Metadata extraction

### 9.2 Binary Format Parsers (Community/Enterprise)

- **ELF** (Linux) parser
- **PE** (Windows) parser
- **Mach-O** (macOS) parser

### 9.3 Build-ID Vulnerability Lookup

- Direct build-ID to CVE mapping
- Pre-computed vulnerability databases

### 9.4 Binary Corpus Support

- **Debian/Ubuntu Corpus** (all tiers)
- **RPM/RHEL Corpus** (Community/Enterprise)

### 9.5 Patch-Aware Backport Detection (Community/Enterprise)

- Distribution patch tracking
- Backported fix detection
- False positive reduction

### 9.6 Binary Fingerprint Generation (Enterprise)

- Function-level fingerprints
- Code similarity hashing
- Version-independent matching

### 9.7 Fingerprint Matching Engine (Enterprise)

- Similarity search across binaries
- Fuzzy matching for modified code
- Large-scale fingerprint database

### 9.8 DWARF/Symbol Analysis (Enterprise)

- Debug symbol parsing
- Source location mapping
- Type information extraction

### 9.9 Symbol Resolution (Symbols Module)

- Symbol table parsing
- Name demangling
- Cross-reference building
- Symbol repository

---

## 10. Policy Engine

### 10.1 Policy Rule Formats

- **YAML Policy Rules** (all tiers)
- **OPA/Rego Integration** (Enterprise)
- **Score Policy YAML** (Enterprise)

### 10.2 Belnap K4 Four-Valued Logic

- Unknown (no information)
- True (positive assertion)
- False (negative assertion)
- Conflict (contradictory assertions)

### 10.3 Security Atoms (6 Types)

- **PRESENT**: Package is present in artifact
- **APPLIES**: CVE applies to package version
- **REACHABLE**: Vulnerable code is reachable
- **MITIGATED**: Compensating controls exist
- **FIXED**: Vulnerability is fixed
- **MISATTRIBUTED**: CVE incorrectly assigned

### 10.4 Policy Gates

- **Minimum Confidence Gate**: Enforce minimum confidence threshold
- **Unknowns Budget Gate** (Community/Enterprise): Limit acceptable unknowns
- **Source Quota Gate** (Enterprise): 60% source cap enforcement
- **Reachability Requirement Gate** (Enterprise): Require reachability proof for criticals
- **Evidence Freshness Gate**: Enforce evidence age limits
- **VEX Trust Gate**: VEX-based policy decisions
- **Drift Gate**: Reachability drift enforcement
- **Stability Damping Gate**: Noise reduction

### 10.5 Disposition Selection

- ECMA-424 compliant disposition mapping
- Deterministic outcome selection
- Traceable decision paths

### 10.6 Exception Objects & Workflow (Enterprise)

- Time-bound exceptions
- Approval chain management
- Exception tracking

### 10.7 Policy Version History (Enterprise)

- Full policy change audit trail
- Policy rollback capability
- Version comparison

### 10.8 Configurable Scoring Profiles (Enterprise)

- Simple profile (basic scoring)
- Advanced profile (multi-factor scoring)
- Custom profile creation

---

## 11. Attestation & Signing

### 11.1 DSSE Envelope Signing

- Detached signature envelopes
- Canonical JSON payloads
- Multi-signature support

### 11.2 in-toto Statement Structure

- Statement v1 format
- Subject binding to artifacts
- Predicate flexibility

### 11.3 Attestation Predicates

- **SBOM Predicate**: SBOM content attestation
- **VEX Predicate**: VEX statement attestation
- **Reachability Predicate** (Community/Enterprise): Reachability proof attestation
- **Policy Decision Predicate** (Community/Enterprise): Policy outcome attestation
- **Human Approval Predicate** (Enterprise): Manual approval attestation
- **Boundary Predicate** (Enterprise): Network exposure attestation

### 11.4 Verdict Manifest

- Signed verdict bundles (Community/Enterprise)
- Complete decision documentation
- Replay verification support

### 11.5 Key Management

- Ephemeral OIDC/keyless signing
- Short-lived key support
- HSM/KMS integration
- Key rotation management (Enterprise)

### 11.6 SLSA Provenance (Enterprise)

- SLSA v1.0 provenance attestations
- Build provenance capture
- Supply chain attestation

### 11.7 Transparency Logging

- **Rekor Transparency Log** (Enterprise): Public attestation logging
- **Cosign Integration** (Enterprise): Sigstore ecosystem compatibility
- Inclusion proof storage
- Local transparency mirror for offline

---

## 12. Regional Cryptography

### 12.1 Default Cryptography

- **Ed25519** signing (default)
- Modern elliptic curve cryptography
- High performance signing/verification

### 12.2 FIPS 140-2/3 Mode

- ECDSA P-256 signing
- RSA-PSS signing
- US Federal compliance
- FIPS-validated modules

### 12.3 eIDAS Signatures

- ETSI TS 119 312 compliance
- EU qualified electronic signatures
- European compliance

### 12.4 GOST/CryptoPro

- GOST R 34.10-2012 signing
- Russian Federation compliance
- CryptoPro integration

### 12.5 SM National Standard

- GM/T 0003.2-2012 compliance
- SM2 signing algorithm
- China compliance

### 12.6 Post-Quantum Cryptography

- **Dilithium** signing (NIST PQC)
- **Falcon** signing support
- Future-proof security

### 12.7 Crypto Plugin Architecture

- Custom HSM integration
- Pluggable crypto providers
- Multi-signature DSSE envelopes (sign with multiple profiles)

### 12.8 RootPack Bundles

- Pre-configured trust root packages
- Regional trust root distribution
- Offline trust root updates

---

## 13. Risk Scoring & Assessment

### 13.1 Score Display

- CVSS v4.0/v3.1/v2.0 display
- EPSS v4 probability display
- Composite risk scores

### 13.2 Priority Band Classification

- Critical/High/Medium/Low/Informational bands
- Configurable band thresholds
- Multi-factor classification

### 13.3 EPSS-at-Scan Immutability (Community/Enterprise)

- EPSS score captured at scan time
- Historical score preservation
- Score drift tracking

### 13.4 Unified Confidence Model (Community/Enterprise)

- 5-factor confidence scoring
- Source confidence weighting
- Evidence strength assessment

### 13.5 Entropy-Based Scoring (Enterprise)

- Information-theoretic risk assessment
- Uncertainty quantification

### 13.6 Gate Multipliers (Enterprise)

- Reachability-aware score adjustment
- Gate-based risk modification

### 13.7 Unknowns Pressure Factor (Enterprise)

- Uncertainty budget enforcement
- Unknown count impact on risk

### 13.8 Custom Scoring Profiles (Enterprise)

- Organization-specific scoring
- Factor weight customization
- Profile versioning

### 13.9 Score Explanation Arrays

- Per-finding score breakdown
- Factor contribution transparency
- Decision audit support

---

## 14. Evidence Management

### 14.1 Findings List

- Comprehensive finding catalog
- Filtering and sorting
- Export capabilities

### 14.2 Evidence Graph View

- Visual evidence relationships
- Interactive exploration
- Dependency visualization

### 14.3 Findings Ledger (Enterprise)

- Immutable finding history
- Audit trail for all findings
- Finding lifecycle tracking

### 14.4 Evidence Locker (Enterprise)

- Sealed evidence storage
- Tamper-evident packaging
- Import/export capabilities

### 14.5 Evidence TTL Policies (Enterprise)

- Configurable retention rules
- Automatic expiration
- Compliance-driven retention

### 14.6 Evidence Size Budgets (Enterprise)

- Storage governance
- Quota enforcement
- Capacity planning

### 14.7 Retention Tiers (Enterprise)

- Hot tier (immediate access)
- Warm tier (near-line storage)
- Cold tier (archive storage)

### 14.8 Privacy Controls (Enterprise)

- Sensitive data redaction
- PII handling
- Anonymization support

### 14.9 Audit Pack Export (Enterprise)

- Compliance bundle generation
- Regulatory export formats
- Complete evidence packaging

---

## 15. Determinism & Reproducibility

### 15.1 Canonical JSON Serialization

- RFC 8785 compliant serialization
- Sorted keys
- Minimal escaping
- Consistent number formatting

### 15.2 Content-Addressed IDs

- SHA-256 based identification
- Immutable references
- Deduplication support

### 15.3 Replay Manifest (SRM)

- Complete scan input capture
- Version pinning
- Configuration recording

### 15.4 Replay Verification

- `stella replay` CLI command
- Digest assertion
- Bit-for-bit comparison

### 15.5 Evidence Freshness Multipliers (Community/Enterprise)

- Age-based confidence adjustment
- Decay algorithms
- Freshness enforcement

### 15.6 Proof Coverage Metrics (Community/Enterprise)

- Evidence completeness measurement
- Gap identification
- Coverage reporting

### 15.7 Fidelity Metrics (Enterprise)

- **BF** (Base Fidelity): Input quality
- **SF** (Scan Fidelity): Detection quality
- **PF** (Proof Fidelity): Evidence quality
- Audit dashboard integration

### 15.8 FN-Drift Rate Tracking (Enterprise)

- False negative monitoring
- Quality trend analysis
- Alert thresholds

### 15.9 Determinism Gate CI (Enterprise)

- Automated determinism testing
- CI/CD integration
- Drift prevention

---

## 16. CLI Features

### 16.1 Core Commands

- `stella scan` - Container image scanning
- `stella sbom` - SBOM generation and inspection
- `stella vex` - VEX evaluation and generation
- `stella advisory` - Advisory management
- `stella policy` - Policy evaluation
- `stella replay` - Deterministic replay

### 16.2 SBOM Commands

- `stella sbom generate` - Generate SBOM from image
- `stella sbom inspect` - View SBOM contents
- `stella sbom diff` - Compare SBOMs
- `stella sbom validate` - Validate SBOM format
- `stella sbom convert` - Convert between formats

### 16.3 VEX Commands

- `stella vex evaluate` - Evaluate VEX statements
- `stella vex generate` - Generate VEX documents
- `stella vex import` - Import VEX from file
- `stella vex export` - Export VEX statements

### 16.4 Attestation Commands

- `stella attest sign` - Sign attestations
- `stella attest verify` (Community/Enterprise) - Verify attestations
- `stella attest export` - Export attestations

### 16.5 Reachability Commands

- `stella reachability analyze` - Run reachability analysis
- `stella graph show` - Display reachability graph
- `stella reachability export` - Export reachability data

### 16.6 Risk Commands

- `stella risk evaluate` - Calculate risk scores
- `stella risk report` - Generate risk reports

### 16.7 Policy Commands

- `stella policy evaluate` - Run policy evaluation
- `stella policy validate` - Validate policy files
- `stella policy export` - Export policy decisions

### 16.8 Offline Commands

- `stella rootpack import` - Import trust root bundles
- `stella offline sync` - Sync offline data
- `stella offline verify` - Verify offline package

### 16.9 Database Commands

- `stella db update` - Update vulnerability database
- `stella db status` - Check database status
- `stella db export` - Export database snapshot

### 16.10 Export Commands

- `stella export sarif` - Export SARIF format
- `stella export json` - Export JSON format
- `stella export csv` - Export CSV format
- `stella export audit-pack` (Enterprise) - Export audit bundle

### 16.11 Administrative Commands (Enterprise)

- `stella admin` - Administrative utilities
- `stella symbols` - Symbol resolution commands
- `stella notify` - Notification management
- `stella orchestrator` - Workflow control

### 16.12 CLI Technical Features

- Native AOT compilation
- Cross-platform support (linux-x64, linux-arm64, osx-x64, osx-arm64, win-x64)
- Machine-readable output (JSON, NDJSON)
- Exit codes for CI/CD integration
- Environment variable configuration

---

## 17. Web UI Features

### 17.1 Core Interface

- Dark/Light mode toggle
- Responsive design
- Locale support (Cyrillic, etc.) (Community/Enterprise)
- Keyboard shortcuts (Enterprise)

### 17.2 Findings View

- Findings Row Component
- Filtering and sorting
- Bulk actions
- Export capabilities

### 17.3 Evidence Visualization

- Evidence Drawer panel
- Proof Tab for attestations
- Evidence Graph View
- Confidence Meter

### 17.4 VEX Interface

- VEX Conflict Studio UI
- Claim Comparison Table (Enterprise)
- Trust Algebra Panel (Enterprise)

### 17.5 Reachability Visualization

- Reachability Mini-Map (Enterprise)
- Path visualization
- Call graph explorer

### 17.6 Policy Interface

- Policy Chips Display (Enterprise)
- Gate status visualization
- Policy decision trace

### 17.7 Triage Features

- Triage Canvas component
- Vulnerability triage workflow
- Status management
- Assignment capabilities

### 17.8 Timeline Features (Enterprise)

- Runtime Timeline view
- Historical execution data
- Temporal analysis

### 17.9 Administrative Features (Enterprise)

- Audit Trail UI
- Knowledge Snapshot UI (air-gap prep)
- Operator/Auditor Toggle (role separation)
- Reproduce Verdict Button

### 17.10 Noise Gating UI

- Delta visualization
- Gating statistics
- Noise reduction controls

---

## 18. Offline & Air-Gap Operations

### 18.1 Offline Update Kits (OUK)

- Complete feed bundles
- Monthly (Community) / Weekly (Enterprise) updates
- Signed packages

### 18.2 Knowledge Snapshots (Enterprise)

- Sealed feed exports
- Complete knowledge state capture
- Merkle root verification

### 18.3 Offline Signature Verification (Community/Enterprise)

- Local verification without network
- Embedded revocation lists
- Cached trust roots

### 18.4 Offline JWT Tokens (Enterprise)

- 90-day offline tokens
- Local token validation
- Extended offline operation

### 18.5 Air-Gap Bundle Manifest (Enterprise)

- Transfer package specification
- Integrity verification
- Import/export workflows

### 18.6 No-Egress Enforcement (Enterprise)

- Strict network isolation
- Egress policy enforcement
- Connectivity validation

### 18.7 Offline Components

- Mirrored vulnerability feeds
- Local transparency log mirror
- RootPack trust bundles
- Embedded revocation lists

### 18.8 One-Command Replay (Community/Enterprise)

- `stella replay srm.yaml` for offline verification
- No network required for replay
- Complete evidence bundle

---

## 19. Deployment Options

### 19.1 Docker Compose

- Single-node deployment (all tiers)
- Development environment setup
- Quick start configuration

### 19.2 Helm Chart (Community/Enterprise)

- Kubernetes deployment
- Configurable replicas
- Resource management
- Secret management

### 19.3 High Availability (Enterprise)

- Multi-replica deployment
- Load balancing
- Failover support
- Disaster recovery

### 19.4 Horizontal Scaling (Enterprise)

- Auto-scaling support
- Workload distribution
- Resource optimization

### 19.5 Dedicated Capacity (Enterprise)

- Reserved resources
- Guaranteed performance
- Isolation options

### 19.6 Infrastructure Requirements

- **PostgreSQL 16+**: Primary database
- **Valkey 8.0+**: Caching and queuing
- **RustFS (S3)** (Community/Enterprise): Object storage

### 19.7 Container Images

- Multi-architecture support (amd64, arm64)
- Minimal base images
- Regular security updates

---

## 20. Authentication & Authorization

### 20.1 Authentication Methods

- **Basic Auth**: Username/password (all tiers)
- **API Keys**: Token-based access (all tiers)
- **SSO/SAML**: Okta, Azure AD integration (all tiers)
- **OIDC Support**: OpenID Connect with discovery (all tiers)

### 20.2 OAuth 2.0 Grant Types

- **Client Credentials**: Service-to-service authentication
- **Resource Owner Password Credentials**: User login
- **Authorization Code + PKCE**: Browser-based UI flows
- **Device Code**: CLI login on headless agents
- **Refresh Token Grant**: DPoP-bound or mTLS constrained

### 20.3 Sender-Constraint Technologies

#### DPoP (Demonstration of Proof-of-Possession)
- Proof JWT on every HTTP request
- Token bound via `cnf.jkt` (JWK thumbprint)
- Replay prevention with JTI cache
- Nonce support for high-value services

#### mTLS (Mutual TLS Binding)
- Client certificate-bound tokens
- Token carries `cnf.x5t#S256` (cert thumbprint)
- Enforced for high-value audiences (Signer, Attestor)
- Certificate chain validation

### 20.4 Token Management

- **Access Token (OpTok)**: 120-300 second TTL
- **Refresh Tokens**: Optional, short-lived (≤ 8h), rotating
- Token refresh (12h Free / 30d Community / Annual Enterprise)
- Short-lived key support
- JWT format with custom claims

### 20.5 Identity Provider Plugins

- **Standard Plugin**: Local username/password, MFA support
- **LDAP Plugin**: Active Directory / OpenLDAP integration
- **OIDC Plugin**: External OIDC provider federation
- **SAML Plugin**: SAML 2.0 assertion processing

### 20.6 RBAC (Role-Based Access Control)

- **Basic RBAC**: User/Admin roles (all tiers)
- **Advanced RBAC** (Enterprise): Team-based scopes, custom roles
- 70+ granular permission scopes
- Scope-based authorization enforcement

### 20.7 Scope Categories

- **Authority Admin**: `authority:tenants.*`, `authority:users.*`, `authority:roles.*`
- **Scanner**: `scanner:read`, `scanner:scan`, `scanner:export`
- **Signer**: `signer:read`, `signer:sign`, `signer:rotate`
- **Policy**: `policy:write`, `policy:review`, `policy:approve`, `policy:publish`
- **VulnExplorer**: `vuln:view`, `vuln:investigate`, `vuln:operate`
- **VEX**: `vex:read`, `vex:ingest`
- **Graph**: `graph:read`, `graph:write`, `graph:export`
- **Evidence**: `evidence:create`, `evidence:read`, `evidence:hold`
- **Attestation**: `attest:read`, `attest:create`, `attest:admin`
- **Observability**: `obs:read`, `obs:incident`, `timeline:read`

### 20.8 ABAC (Attribute-Based Access Control)

- Environment attribute filtering (`stellaops:attr:env`)
- Ownership visibility (`stellaops:attr:owner`)
- Business tier filtering (`stellaops:attr:business_tier`)

### 20.9 Multi-Tenant Management (Enterprise)

- Organization hierarchy
- Tenant isolation via `tid` claim
- Installation isolation via `inst` claim
- Cross-tenant policy enforcement

### 20.10 Specialized Tokens

- **Incident Mode Tokens**: 5-minute freshness, requires human reason
- **Vulnerability Workflow Tokens**: Anti-forgery for mutations
- **Attachment Access Tokens**: Evidence bundle downloads
- **Acknowledgment Tokens**: Notification workflows

### 20.11 Security Features

- Password lockout with configurable attempts
- Key rotation (30-90 day cadence, zero-downtime)
- KMS/HSM support (private keys never leave)
- Rate limiting (per-client, per-IP, per-endpoint)
- PKCE required for Authorization Code flow

### 20.12 Audit Logging (Enterprise)

- Token issuance audit (sub, aud, scopes, tid, jti)
- Revocation events
- Admin changes (client/user/role)
- Credential attempt tracking with failure codes
- DPoP/mTLS validation events
- SIEM integration
- User activity tracking

---

## 21. Integrations & Notifications

### 21.1 Notification Channels

- **In-App Notifications** (all tiers)
- **Email Notifications** (Community/Enterprise)
- **Slack Integration** (all tiers)
- **Microsoft Teams Integration** (all tiers)

### 21.2 Alert Types

- New vulnerability alerts
- EPSS change alerts (Community/Enterprise)
- Policy violation alerts
- Scan completion notifications

### 21.3 Registry Integration

- **Zastava Registry Hooks**: Auto-scan on container push (all tiers)
- Registry webhook observer
- Event-driven scanning

### 21.4 CI/CD Integration (Enterprise)

- GitLab CI/CD gates
- GitHub Actions integration
- Jenkins plugin
- Custom webhook endpoints

### 21.5 Custom Webhooks (Enterprise)

- Configurable endpoints
- Event filtering
- Payload customization

### 21.6 Enterprise Connectors (Enterprise)

- Grid/Premium API access
- Custom connector development
- Third-party integration support

### 21.7 Gateway & Router

- API gateway with routing
- Transport abstraction (TCP/TLS/UDP/RabbitMQ/Valkey)
- Rate limiting
- Request routing

---

## 22. Observability & Telemetry

### 22.1 Metrics

- Basic metrics (all tiers)
- Scan performance metrics
- Resource utilization metrics
- Error rate tracking

### 22.2 OpenTelemetry (Enterprise)

- Full distributed tracing
- Trace context propagation
- Custom span attributes

### 22.3 Prometheus Export (Enterprise)

- Prometheus metric format
- Custom metrics endpoints
- Grafana dashboard support

### 22.4 Telemetry Options

- Opt-in telemetry (all tiers)
- Telemetry configuration
- Privacy controls

### 22.5 Quality KPIs Dashboard (Enterprise)

- Triage metrics
- Detection accuracy
- Coverage statistics

### 22.6 SLA Monitoring (Enterprise)

- Uptime tracking
- Performance monitoring
- SLA compliance reporting

### 22.7 Logging

- Structured logging
- Log levels configuration
- Log aggregation support

---

## 23. Scheduling & Automation

### 23.1 Manual Scans

- On-demand scanning (all tiers)
- CLI-triggered scans
- UI-initiated scans

### 23.2 Scheduled Scans (Enterprise)

- Cron-based scheduling
- Recurring scan configuration
- Schedule management

### 23.3 Event-Driven Scanning (Enterprise)

- Registry push triggers
- Webhook-initiated scans
- Pipeline integration

### 23.4 Task Pack Orchestration (Enterprise)

- Declarative workflow definition
- Task pack execution
- Plan-hash binding
- Approval gates
- Sealed mode for air-gap

### 23.5 EPSS Daily Refresh (Enterprise)

- Automatic EPSS updates
- Score recalculation
- Delta notifications

### 23.6 Scheduler Features

- Job queue management
- Priority scheduling
- Resource allocation
- Failure retry policies

### 23.7 Orchestrator Features

- Workflow coordination
- Task dependency management
- Parallel execution
- Status tracking

---

## 24. Version Comparison

### 24.1 Package Version Formats

- **RPM (NEVRA)**: Name-Epoch-Version-Release-Architecture
- **Debian (EVR)**: Epoch-Version-Release
- **Alpine (APK)**: Alpine package versioning
- **SemVer**: Semantic versioning (major.minor.patch)

### 24.2 PURL Resolution

- Package URL parsing
- Ecosystem-aware resolution
- Version normalization

### 24.3 Version Range Matching

- Affected version range detection
- Fixed version identification
- Upgrade path calculation

---

## 25. Database & Storage

### 25.1 PostgreSQL Features

- PostgreSQL 16+ support
- Per-module schema isolation
- Row-Level Security (RLS) for multi-tenancy
- Connection pooling

### 25.2 Valkey/Redis Features

- Valkey 8.0+ support
- Caching layer
- Job queue backend
- Session storage

### 25.3 Object Storage (RustFS/S3)

- S3-compatible storage (Community/Enterprise)
- Content-addressed blob storage
- SBOM/evidence storage
- Artifact storage

### 25.4 Storage Features

- Content deduplication
- Compression support
- Encryption at rest
- Retention policies

---

## 26. API Capabilities

### 26.1 REST API

- RESTful endpoints
- OpenAPI 3.0 specification
- JSON request/response
- Pagination support

### 26.2 API Features

- Rate limiting (all tiers)
- 429 Backpressure handling
- Retry-After headers
- Priority queue (Enterprise)
- Burst allowance (Enterprise)

### 26.3 Quota Management

- Usage API (`/quota`)
- Scan quota tracking
- Quota enforcement
- Custom quotas (Enterprise)

### 26.4 API Authentication

- API key authentication
- JWT bearer tokens
- OAuth 2.0 support
- DPoP support

---

## 27. Support & Services

### 27.1 Documentation

- Comprehensive documentation (all tiers)
- API reference
- Architecture guides
- Tutorials and guides

### 27.2 Community Support

- Community forums (all tiers)
- GitHub Issues (all tiers)
- Documentation wiki

### 27.3 Email Support (Enterprise)

- Business hours support
- Ticket-based support

### 27.4 Priority Support (Enterprise)

- 4-hour response time
- Priority ticket handling

### 27.5 24/7 Critical Support (Enterprise)

- Round-the-clock support (add-on)
- Emergency response

### 27.6 Dedicated CSM (Enterprise)

- Named customer success manager
- Regular check-ins
- Account management

### 27.7 Professional Services (Enterprise)

- Implementation assistance
- Custom development
- Architecture review

### 27.8 Training & Certification (Enterprise)

- Team enablement
- Certification programs
- Custom training

### 27.9 SLA Guarantee (Enterprise)

- 99.9% uptime guarantee
- SLA credits
- Performance guarantees

---

## Appendix A: Module Reference

| Module | Description |
|--------|-------------|
| **Authority** | Authentication, authorization, OAuth/OIDC, DPoP |
| **Gateway** | API gateway with routing and transport abstraction |
| **Router** | Transport-agnostic messaging |
| **Concelier** | Vulnerability advisory ingestion and merge engine |
| **Excititor** | VEX document ingestion and export |
| **VexLens** | VEX consensus computation across issuers |
| **VexHub** | VEX distribution and exchange hub |
| **IssuerDirectory** | Issuer trust registry |
| **Feedser** | Evidence collection for backport detection |
| **Mirror** | Vulnerability feed mirror and distribution |
| **Scanner** | Container scanning with SBOM generation |
| **BinaryIndex** | Binary identity extraction and fingerprinting |
| **AdvisoryAI** | AI-assisted advisory analysis |
| **ReachGraph** | Reachability graph service |
| **Symbols** | Symbol resolution and debug information |
| **Attestor** | in-toto/DSSE attestation generation |
| **Signer** | Cryptographic signing operations |
| **SbomService** | SBOM storage, versioning, and lineage ledger |
| **EvidenceLocker** | Sealed evidence storage and export |
| **ExportCenter** | Batch export and report generation |
| **Provenance** | SLSA/DSSE attestation tooling |
| **Policy** | Policy engine with K4 lattice logic |
| **RiskEngine** | Risk scoring runtime |
| **VulnExplorer** | Vulnerability exploration and triage UI backend |
| **Unknowns** | Unknown component and symbol tracking |
| **Scheduler** | Job scheduling and queue management |
| **Orchestrator** | Workflow orchestration and task coordination |
| **TaskRunner** | Task pack execution engine |
| **Notify** | Notification toolkit |
| **Notifier** | Notifications Studio host |
| **PacksRegistry** | Task packs registry and distribution |
| **TimelineIndexer** | Timeline event indexing |
| **Replay** | Deterministic replay engine |
| **CLI** | Command-line interface |
| **Zastava** | Container registry webhook observer |
| **Web** | Angular frontend SPA |
| **Cryptography** | Crypto plugins (FIPS, eIDAS, GOST, SM, PQ) |
| **Telemetry** | OpenTelemetry traces, metrics, logging |
| **Graph** | Call graph and reachability data structures |
| **Signals** | Runtime signal collection and correlation |
| **AirGap** | Air-gapped deployment support |
| **AOC** | Append-Only Contract enforcement |

---

## Appendix B: Supported Standards

| Standard | Version | Usage |
|----------|---------|-------|
| CycloneDX | 1.7 | Primary SBOM format |
| SPDX | 3.0.1 | SBOM format |
| in-toto | Statement v1 | Attestation format |
| DSSE | v1 | Envelope signing |
| OpenVEX | Current spec | VEX format |
| SARIF | 2.1.0 | Findings interchange |
| Sigstore Rekor | API stable | Transparency logging |
| SLSA | v1.0 | Provenance attestation |

---

## Appendix C: Glossary

| Term | Definition |
|------|------------|
| **SBOM** | Software Bill of Materials - component inventory |
| **VEX** | Vulnerability Exploitability eXchange - exploitability status |
| **DSSE** | Dead Simple Signing Envelope - detached signatures |
| **in-toto** | Software supply chain attestation framework |
| **K4 Lattice** | Belnap four-valued logic (Unknown, True, False, Conflict) |
| **SRM** | Scan Replay Manifest - deterministic replay bundle |
| **PURL** | Package URL - universal package identifier |
| **NEVRA** | Name-Epoch-Version-Release-Architecture (RPM) |
| **EVR** | Epoch-Version-Release (Debian) |
| **KEV** | Known Exploited Vulnerabilities |
| **EPSS** | Exploit Prediction Scoring System |
| **OVAL** | Open Vulnerability and Assessment Language |

---

*Last updated: 4 Jan 2026*
*For tier availability, see [`04_FEATURE_MATRIX.md`](04_FEATURE_MATRIX.md)*