git.stella-ops.org/docs/technical/architecture/component-map.md

Platform Component Map

Concise descriptions of every top-level component under src/, summarising the role documented across Stella Ops technical guides and how each module interacts with the rest of the platform. Use this as a quick orientation map before diving into the module-specific dossiers listed in architecture/README.md.

Advisory & Evidence Services

• AdvisoryAI — Experimental intelligence helpers that summarise and prioritise advisory data for humans. Ingests canonical observations from Concelier/Excititor, adds explainable insights, and feeds UI/CLI and Policy workflows. See docs/modules/advisory-ai/architecture.md.
• Concelier — Canonical advisory ingestion engine enforcing the Aggregation-Only Contract (AOC). Produces immutable observations/linksets consumed by Policy Engine, Graph, Scheduler, and Export Center. Docs in docs/modules/concelier/architecture.md and docs/modules/concelier/guides/aggregation-only-contract.md.
• Excititor — VEX statement normaliser applying AOC guardrails. Supplies VEX observations to Policy Engine, VEX Lens, Scheduler, and UI. Reference docs/modules/excititor/architecture.md and docs/VEX_CONSENSUS_GUIDE.md.
• VexLens — Provides focused exploration of VEX evidence, conflict analysis, and waiver insights for UI/CLI. Backed by Excititor and Policy Engine (docs/modules/vex-lens/architecture.md).
• EvidenceLocker — Long-term store for signed evidence bundles (DSSE, SRM, policy waivers). Integrates with Attestor, Export Center, Policy, and replay tooling (docs/modules/evidence-locker/guides/evidence-locker.md).
• ExportCenter — Packages reproducible evidence bundles and mirror artefacts for online/offline distribution. Pulls from Concelier, Excititor, Policy, Scanner, Attestor, and Registry (docs/modules/export-center/architecture.md).
• Mirror — Feed and artefact mirroring services supporting Offline Update Kits, registry mirrors, and air-gapped updates (docs/modules/devops/architecture.md, docs/modules/airgap/guides/).

Scanning, SBOM & Risk

• Scanner — Deterministic scanning with API + worker pair. Generates SBOM fragments, emits SRM/DSSE-ready reports, hands results to Signer/Attestor, and surfaces status to Scheduler/CLI/UI (docs/modules/scanner/architecture.md).
• SbomService — SBOM inventory store and delta cache leveraged by Scanner, Policy Engine, Cartographer, and Export Center (docs/modules/scanner/architecture.md, SBOM sections).
• RiskEngine — Consolidates Policy verdicts, runtime signals, and graph overlays into prioritised risk views (docs/modules/policy/architecture.md, docs/modules/graph/architecture.md).
• Findings — Materialises effective findings from Policy Engine outputs and evidence. Feeds UI, CLI, Notify, and Governance dashboards (docs/modules/policy/architecture.md, findings sections).
• Cartographer — (merged into Graph API) Builds identity graphs from SBOM/advisory data. Endpoints now served by src/Graph/StellaOps.Graph.Api (docs/modules/graph/architecture.md).
• Graph — Graph API + indexer + Cartographer endpoints, exposing relationship queries and build/overlay operations to UI/CLI/Scheduler (docs/modules/graph/architecture.md).
• VulnExplorer — (merged into Findings Ledger) Explorer for vulnerabilities that combines Concelier data, graph overlays, and Policy results for UI/CLI consumption. Endpoints now served by src/Findings/StellaOps.Findings.Ledger.WebService.

Policy & Governance

• Policy — Policy Engine core libraries and services executing lattice logic across SBOM, advisory, and VEX evidence. Emits explain traces, drives Findings, Notifier, and Export Center (docs/modules/policy/architecture.md).
• Policy Studio / PacksRegistry - Authoring and reusable template services that orchestrate policy and operational workflows (docs/modules/packs-registry/guides/, docs/modules/cli/, docs/modules/ui/).
• Governance components (Authority scopes, Policy governance, Console policy UI) are covered in docs/security/policy-governance.md and docs/modules/ui/policies.md.

Identity, Signing & Provenance

• Authority — Identity provider issuing short-lived OpToks, enforcing scopes/tenancy, and powering every module's authentication story (docs/AUTHORITY.md, docs/modules/authority/architecture.md).
• Signer — DSSE signing backend supporting keyless/keyful modes with Authority-managed trust roots (docs/modules/signer/architecture.md).
• Attestor — Manages proof bundles, optional Rekor mirror, and distribution to consumers (docs/modules/attestor/architecture.md).
• Provenance — Utilities and services for DSSE/SLSA provenance verification, consumed by Export Center, EvidenceLocker, and Replay (docs/modules/export-center/provenance-and-signing.md).
• IssuerDirectory — Directory of trust issuers/KMS bindings used by Authority, Signer, Attestor, Export Center, and AirGap cryptographic profiles (docs/modules/authority/architecture.md, trust sections).

Scheduling, Orchestration & Automation

• Scheduler — Detects advisory/VEX deltas and orchestrates deterministic rescan runs toward Scanner and Policy Engine (docs/modules/scheduler/architecture.md).

• Orchestrator — Central coordination service dispatching jobs (scans, exports, policy runs) to modules, working closely with Scheduler, CLI, and UI (docs/modules/jobengine/architecture.md).

• Signals — Ingests runtime posture signals and feeds Policy/Notifier workflows (docs/modules/zastava/architecture.md, signals sections).

• TimelineIndexer — Builds timelines of evidence/events for forensics and audit tooling (docs/modules/timeline-indexer/guides/timeline.md).

Notification & UI

• Notify — Unified notification service (src/Notify/StellaOps.Notify.WebService) hosting both v1 channel/rule/template APIs and merged v2 Notifier endpoints (escalation, incident, simulation, storm-breaker, etc.). The notifier.stella-ops.local hostname is a DNS alias on the notify-web container. Built on the shared StellaOps.Notify.* libraries; see docs/modules/notify/architecture.md.

• Notifier Worker — Delivery engine (src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker) subscribing to the platform event bus, evaluating rules, rendering payloads, and invoking channel connectors. Remains a separate container.

• UI — Angular console surfacing scans, policy authoring, VEX evidence, runtime posture, and admin flows. Talks to Web gateway, Authority, Policy, Concelier, Scheduler, Notify, etc. (docs/modules/ui/architecture.md).

• DevPortal — Developer onboarding portal consuming Api definitions, CLI samples, and Authority auth flows (docs/modules/devops/architecture.md, dev portal sections).

Runtime & Registry

• Registry — Anonymous registry/token service hosting platform images and Offline Kit artefacts (docs/modules/registry/architecture.md).
• Zastava — Runtime observer/admission controller ensuring signed images, SBOM availability, and policy verdict enforcement in live clusters (docs/modules/zastava/architecture.md).
• Signals (shared above) plus runtime components integrate tightly with Zastava and Policy Engine.
• Bench — Performance benchmarking toolset validating platform SLAs (docs/PERFORMANCE_WORKBOOK.md).

Offline, Telemetry & Infrastructure

• AirGap — Bundles Offline Update Kits, enforces sealed-mode operations, and distributes trust roots/feeds (docs/OFFLINE_KIT.md, docs/modules/airgap/guides/).
• Telemetry — OpenTelemetry collector/storage deployment tooling, observability integrations, and offline metrics packages (docs/modules/telemetry/architecture.md, docs/modules/telemetry/guides/).
• Mirror and ExportCenter (above) complement AirGap by keeping offline mirrors in sync.
• Tools — Collection of utility programs (fixture generators, smoke tests, migration scripts) supporting all modules (docs/dev/fixtures.md, module-specific tooling sections).

CLI, SDK, Web Gateway

• Cli — Native command-line interface orchestrating scans, policy operations, offline workflows, and evidence replay (docs/modules/cli/architecture.md).
• Sdk — Shared SDK packages for third-party integration (C#, TS, etc.), wrapping Authority auth and API definitions (docs/api/).
• Web — API gateway/BFF exposing module APIs to UI/CLI and external clients, performing auth & route orchestration (docs/modules/platform/architecture-overview.md, gateway sections).

Remaining Shared Libraries

• Api, Sdk, __Libraries — Core shared contracts and helper libraries referenced throughout modules (configuration, messaging, federation). Each module dossier highlights its shared dependencies.
• Aoc library (mentioned above) is reused by ingestion components and verification tooling to enforce the Aggregation-Only Contract.

How It All Connects

High-level flows (see docs/ARCHITECTURE_OVERVIEW.md for the 10-minute tour):

1. Ingest — Concelier and Excititor use AOC to ingest advisories/VEX; Scheduler observes deltas.
2. Scan & Evaluate — Scanner generates SBOM evidence and hands to Signer/Attestor; Policy Engine merges SBOM, advisory, VEX, runtime signals; RiskEngine prioritises.
3. Store & Export — EvidenceLocker and Export Center package results; Registry serves artefacts; AirGap bundles offline editions.
4. Observe & Notify — Telemetry captures metrics/traces/logs; Notifier (via the shared StellaOps.Notify.* libraries) delivers alerts; UI/CLI/Web expose operations; TimelineIndexer builds audit trails.
5. Govern & Secure — Authority, IssuerDirectory, Signer, and Attestor maintain trust; Policy governance and console experiences let teams manage waivers and approvals.

Refer back to module-specific documentation for APIs, configuration, schema details, and operational runbooks. This component map will stay updated alongside module architecture changes—log updates in docs/updates/ whenever new modules are introduced or deprecated.