git.stella-ops.org/docs/contracts

StellaOps Contracts

This directory contains formal contract specifications for cross-module interfaces. These contracts define the data models, APIs, and integration points used throughout StellaOps.

Purpose

Contracts serve as the authoritative source for:

• Data model definitions (request/response shapes)
• API endpoint specifications
• Integration requirements between modules
• Dependency documentation for sprint planning

Contract Index

Contract	ID	Unblocks	Status
Advisory Key	CONTRACT-ADVISORY-KEY-001	6+ tasks	Published
Risk Scoring	CONTRACT-RISK-SCORING-002	5+ tasks	Published
Mirror Bundle	CONTRACT-MIRROR-BUNDLE-003	8+ tasks	Published
Sealed Mode	CONTRACT-SEALED-MODE-004	4+ tasks	Published
VEX Lens	CONTRACT-VEX-LENS-005	2+ tasks	Published
Verification Policy	CONTRACT-VERIFICATION-POLICY-006	4+ tasks	Published
Policy Studio	CONTRACT-POLICY-STUDIO-007	3+ tasks	Published
Authority Effective Write	CONTRACT-AUTHORITY-EFFECTIVE-WRITE-008	2+ tasks	Published
Export Bundle	CONTRACT-EXPORT-BUNDLE-009	1+ tasks	Published
Crypto Provider Registry	CONTRACT-CRYPTO-PROVIDER-REGISTRY-010	1+ tasks	Published
Findings Ledger RLS	CONTRACT-FINDINGS-LEDGER-RLS-011	2 tasks	Published
API Governance Baseline	CONTRACT-API-GOVERNANCE-BASELINE-012	10+ tasks	Published
Scanner PHP Analyzer	CONTRACT-SCANNER-PHP-ANALYZER-013	1 task	Published
Scanner Surface	CONTRACT-SCANNER-SURFACE-014	1 task	Published
RichGraph v1	CONTRACT-RICHGRAPH-V1-015	40+ tasks	Published

Contract Categories

Core Data Models

• Advisory Key - Vulnerability ID canonicalization
• VEX Lens - VEX observation correlation
• Risk Scoring - Finding prioritization

Air-Gap / Offline

• Mirror Bundle - Bundle format for offline transport
• Sealed Mode - Sealed environment operation

Security / Attestation

• Verification Policy - Attestation verification rules
• Crypto Provider Registry - Pluggable crypto

Policy Management

• Policy Studio - Policy editing and compilation
• Authority Effective Write - Policy attachment

Export

• Export Bundle - Scheduled export jobs

Tenancy / Database

• Findings Ledger RLS - Row-Level Security and partitioning

SDK & API Governance

• API Governance Baseline - OpenAPI freeze and SDK generation

Scanner

• Scanner PHP Analyzer - PHP language analyzer bootstrap
• Scanner Surface - Surface analysis framework

Reachability / Evidence

• RichGraph v1 - Function-level reachability graph schema

Related Resources

API Documentation

• Policy API
• Graph API

Module Architecture

• Excititor Architecture
• Policy Engine Architecture
• Attestor Architecture
• AirGap Documentation

JSON Schemas

• Mirror Bundle Schema
• Verification Policy Schema
• Risk Profile Schema

Contract Lifecycle

1. Draft - Contract under development
2. Published - Contract is stable and ready for implementation
3. Deprecated - Contract is being phased out
4. Retired - Contract is no longer valid

Contributing

When updating contracts:

1. Increment version number
2. Update Last Updated date
3. Document breaking changes
4. Update Unblocks section if tasks change
5. Add cross-references to related contracts

Sprint Integration

Contracts unblock BLOCKED tasks in sprint files. When a contract is published:

1. Update the sprint file task status from BLOCKED to TODO
2. Add note: Unblocked by CONTRACT-xxx (docs/contracts/xxx.md)
3. Remove the blocked reason