50abd2137f
Add 12 new sprint files (Integrations, Graph, JobEngine, FE, Router, AdvisoryAI), archive completed scheduler UI sprint, update module architecture docs (router, graph, jobengine, web, integrations), and add Gitea entrypoint script for local dev. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Release Orchestrator
Central release control plane for non-Kubernetes container estates.
Status: Planned (not yet implemented) Source: Full Architecture Specification
Purpose
The Release Orchestrator extends Stella Ops from a vulnerability scanning platform into Stella Ops Suite — a unified release control plane for non-Kubernetes container environments. It integrates:
- Existing capabilities: SBOM generation, reachability-aware vulnerability analysis, VEX support, policy engine, evidence locker, deterministic replay
- New capabilities: Environment management, release orchestration, promotion workflows, deployment execution, progressive delivery, audit-grade release governance
Scope
| In Scope | Out of Scope |
|---|---|
| Non-K8s container deployments (Docker, Compose, ECS, Nomad) | Kubernetes deployments (use ArgoCD, Flux) |
| Release identity via OCI digests | Tag-based release identity |
| Plugin-extensible integrations | Hard-coded vendor integrations |
| SSH/WinRM + agent-based deployment | Cloud-native serverless deployments |
| L4/L7 traffic management via router plugins | Built-in service mesh |
Documentation Structure
Design & Principles
- Design Principles — Core principles and invariants
- Key Decisions — Architectural decision record
Implementation
- Implementation Guide — .NET 10 patterns and best practices
- Test Structure — Test organization and guidelines
Module Architecture
- Module Overview — All modules and themes
- Integration Hub (INTHUB) — External integrations
- Environment Manager (ENVMGR) — Environments and targets
- Release Manager (RELMAN) — Release bundles and versions
- Workflow Engine (WORKFL) — DAG execution
- Promotion Manager (PROMOT) — Approvals and gates
- Deploy Orchestrator (DEPLOY) — Deployment execution
- Agents (AGENTS) — Deployment agents
- Progressive Delivery (PROGDL) — A/B and canary
- Release Evidence (RELEVI) — Evidence packets
- Plugin System (PLUGIN) — Plugin infrastructure
Data Model
- Database Schema — PostgreSQL schema specification
- Entity Definitions — Entity descriptions
API Specification
- API Overview — API design principles
- Environment APIs — Environment endpoints
- Release APIs — Release endpoints
- Promotion APIs — Promotion endpoints
- Promotion Runtime Gap Closure Plan — Docs-to-runtime delivery sequence
- Workflow APIs — Workflow endpoints
- Agent APIs — Agent endpoints
- WebSocket APIs — Real-time endpoints
Workflow Engine
- Template Structure — Workflow template specification
- Execution State Machine — Workflow state machine
- Promotion State Machine — Promotion state machine
- Evidence-Based Release Gates — Data-driven evidence gate contract and outcomes
Security
- Security Overview — Security principles
- Authentication & Authorization — AuthN/AuthZ
- Agent Security — Agent security model
- Threat Model — Threats and mitigations
- Audit Trail — Audit logging
Integrations
- Integration Overview — Integration types
- Connector Interface — Connector specification
- Webhook Architecture — Webhook handling
- CI/CD Patterns — CI/CD integration patterns
Deployment
- Deployment Overview — Architecture overview
- Deployment Strategies — Deployment strategies
- Agent-Based Deployment — Agent deployment
- Agentless Deployment — SSH/WinRM deployment
- Artifact Generation — Generated artifacts
Progressive Delivery
- Progressive Overview — Progressive delivery architecture
- A/B Releases — A/B release models
- Canary Controller — Canary implementation
- Router Plugins — Traffic routing plugins
UI/UX
- Dashboard Specification — Dashboard screens
- Workflow Editor — Workflow editor
- Screen Reference — Key UI screens
Operations
- Metrics — Metrics specification
- Logging — Logging patterns
- Tracing — Distributed tracing
- Alerting — Alert rules
Implementation
- Roadmap — Implementation phases
- Resource Requirements — Sizing
Appendices
- Glossary — Term definitions
- Configuration Reference — Configuration options
- Error Codes — API error codes
- Evidence Schema — Evidence packet format
- Optional Promotion Capsule — Optional DSSE capsule and
human_decisionenvelope profile
Quick Reference
Key Principles
- Digest-first release identity — Releases are immutable OCI digests, not tags
- Evidence for every decision — Every promotion/deployment produces sealed evidence
- Pluggable everything, stable core — Integrations are plugins; core is stable
- No feature gating — All plans include all features
- Offline-first operation — Core works in air-gapped environments
- Immutable generated artifacts — Every deployment generates stored artifacts
Platform Themes
| Theme | Purpose |
|---|---|
| INTHUB | Integration hub — external system connections |
| ENVMGR | Environment management — environments, targets, agents |
| RELMAN | Release management — components, versions, releases |
| WORKFL | Workflow engine — DAG execution, steps |
| PROMOT | Promotion — approvals, gates, decisions |
| DEPLOY | Deployment — execution, artifacts, rollback |
| AGENTS | Agents — Docker, Compose, ECS, Nomad |
| PROGDL | Progressive delivery — A/B, canary |
| RELEVI | Evidence — packets, stickers, audit |
| PLUGIN | Plugins — registry, loader, SDK |