100 lines
6.5 KiB
Markdown
100 lines
6.5 KiB
Markdown
# 3 · Product Vision — **Stella Ops**
|
||
*(v1.3 — 12 Jul 2025 · supersedes v1.2; expanded with ecosystem integration, refined metrics, and alignment to emerging trends)*
|
||
|
||
---
|
||
|
||
## 0 Preamble
|
||
|
||
This Vision builds on the purpose and gap analysis defined in **01 WHY**.
|
||
It paints a three‑year “north‑star” picture of success for the open‑source project and sets the measurable guard‑rails that every roadmap item must serve, while fostering ecosystem growth and adaptability to trends like SBOM mandates, AI‑assisted security **and transparent usage quotas**.
|
||
|
||
---
|
||
|
||
## 1 North‑Star Vision Statement (2027)
|
||
|
||
> *By mid‑2027, Stella Ops is the fastest, most‑trusted self‑hosted SBOM scanner. Developers expect vulnerability feedback in **five seconds or less**—even while the free tier enforces a transparent **333 scans/day** limit with graceful waiting. The project thrives on a vibrant plug‑in marketplace, weekly community releases, transparent governance, and seamless integrations with major CI/CD ecosystems—while never breaking the five‑second promise.*
|
||
|
||
---
|
||
|
||
## 2 Outcomes & Success Metrics
|
||
|
||
| KPI (community‑centric) | Baseline Jul 2025 | Target Q2‑2026 | North‑Star 2027 |
|
||
| -------------------------------- | ----------------- | -------------- | --------------- |
|
||
| ⭐ Gitea / GitHub stars | 0 | 4 000 | 10 000 |
|
||
| Weekly active Docker pulls | 0 | 1 500 | 4 000 |
|
||
| P95 SBOM scan time (alpine) | 5 s | **≤ 5 s** | **≤ 4 s** |
|
||
| Free‑tier scan satisfaction* | n/a | ≥ 90 % | ≥ 95 % |
|
||
| First‑time‑contributor PRs / qtr | 0 | 15 | 30 |
|
||
|
||
\*Measured via anonymous telemetry *opt‑in only*: ratio of successful scans to `429 QuotaExceeded` errors.
|
||
|
||
---
|
||
|
||
## 3 Strategic Pillars
|
||
|
||
1. **Speed First** – preserve the sub‑5 s P95 wall‑time; any feature that hurts it must ship behind a toggle or plug‑in. **Quota throttling must apply a soft 5 s delay first, so “speed first” remains true even at the limit.**
|
||
2. **Offline‑by‑Design** – every byte required to scan ships in public images; Internet access is optional.
|
||
3. **Modular Forever** – capabilities land as hot‑load plug‑ins; the monolith can split without rewrites.
|
||
4. **Community Ownership** – ADRs and governance decisions live in public; new maintainers elected by meritocracy.
|
||
5. **Zero‑Surprise Upgrades & Limits** – SemVer discipline; `main` is always installable; minor upgrades never break CI YAML **and free‑tier limits are clearly documented, with early UI warnings.**
|
||
6. **Ecosystem Harmony** – Prioritise integrations with popular OSS tools (e.g., Trivy extensions, BuildKit hooks) to lower adoption barriers.
|
||
|
||
---
|
||
|
||
## 4 Road‑map Themes (18‑24 months)
|
||
|
||
| Horizon | Theme | Example EPIC |
|
||
| ------------------ | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
|
||
| **Q3‑2025** (3 mo) | **Core Stability & UX** | One‑command installer; dark‑mode UI; baseline SBOM scanning; **Free‑tier Quota Service (333 scans/day, early banner, wait‑wall).** |
|
||
| 6–12 mo | *Extensibility* | Scan‑service micro‑split PoC; community plugin marketplace beta. |
|
||
| 12–18 mo | *Ecosystem* | Community plug‑in marketplace launch; integrations with Syft and Harbor. |
|
||
| 18–24 mo | *Resilience & Scale* | Redis Cluster auto‑sharding; AI‑assisted triage plugin framework. |
|
||
|
||
*(Granular decomposition lives in 25_LEDGER.md.)
|
||
|
||
---
|
||
|
||
## 5 Stakeholder Personas & Benefits
|
||
|
||
| Persona | Core Benefit |
|
||
| --------------------- | ---------------------------------------------------------------- |
|
||
| Solo OSS maintainer | Laptop scans in **≤ 5 s**; zero cloud reliance. |
|
||
| CI Platform Engineer | Single‑binary backend + Redis; stable YAML integrations. |
|
||
| Security Auditor | AGPL code, traceable CVE sources, reproducible benchmarks. |
|
||
| Community Contributor | Plugin hooks and good‑first issues; merit‑based maintainer path. |
|
||
| Budget‑conscious Lead | Clear **333 scans/day** allowance before upgrades are required. |
|
||
|
||
(See **01 WHY §3** for detailed pain‑points & evidence.)
|
||
|
||
---
|
||
|
||
## 6 Non‑Goals (2025‑2027)
|
||
|
||
* Multi‑tenant SaaS offering.
|
||
* Automated “fix PR” generation.
|
||
* Proprietary compliance certifications (left to downstream distros).
|
||
* Windows **container** scanning (agents only).
|
||
|
||
---
|
||
|
||
## 7 Review & Change Process
|
||
|
||
* **Cadence:** product owner leads a public Vision review every **2 sprints (≈ 1 quarter)**.
|
||
* **Amendments:** material changes require PR labelled `type:vision` + two maintainer approvals.
|
||
* **Versioning:** bump patch for typo, minor for KPI tweak, major if North‑Star statement shifts.
|
||
* **Community Feedback:** Open GitHub Discussions for input; incorporate top‑voted suggestions quarterly.
|
||
|
||
---
|
||
|
||
## 8 · Change Log
|
||
|
||
| Version | Date | Note (high‑level) |
|
||
| ------- | ----------- | ----------------------------------------------------------------------------------------------------- |
|
||
| v1.4 | 14‑Jul‑2025 | First public revision reflecting quarterly roadmap & KPI baseline. |
|
||
| v1.3 | 12‑Jul‑2025 | Expanded ecosystem pillar, added metrics/integrations, refined non-goals, community persona/feedback. |
|
||
| v1.2 | 11‑Jul‑2025 | Restructured to link with WHY; merged principles into Strategic Pillars; added review §7 |
|
||
| v1.1 | 11‑Jul‑2025 | Original OSS‑only vision |
|
||
| v1.0 | 09‑Jul‑2025 | First public draft |
|
||
|
||
*(End of Product Vision v1.3)*
|