stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5d5f4de2e18f411dfd530c95da09759249d5f8f2
git.stella-ops.org/docs/technical/architecture/module-matrix.md

236 lines
13 KiB
Markdown
Raw Blame History

# Complete Module Matrix
This document provides a comprehensive inventory of all 46+ modules in the StellaOps platform. Module build entry points are the module solutions listed in docs/dev/SOLUTION_BUILD_GUIDE.md.
## Table of Contents
- [1. Module Count Explanation](#1-module-count-explanation)
- [2. Complete Module Inventory](#2-complete-module-inventory)
- [3. Module Categories](#3-module-categories)
- [4. Service Deployment Matrix](#4-service-deployment-matrix)
- [5. Module Dependencies](#5-module-dependencies)
---
## 1. Module Count Explanation
The solution contains **46 top-level modules** in `src/`. The architecture documentation covers the **~35 core user-facing modules**, while the remaining modules fall into:
| Category | Count | Description |
|----------|-------|-------------|
| Core Platform | 4 | Authority, Gateway, Router, Platform |
| Data Ingestion | 7 | Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Feedser, Mirror |
| Scanning & Analysis | 5 | Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph |
| Artifacts & Evidence | 7 | Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, Provenance, Provcache |
| Policy & Risk | 4 | Policy, RiskEngine, VulnExplorer, Unknowns |
| Operations | 8 | Scheduler, Orchestrator, TaskRunner, Notify, Notifier, PacksRegistry, TimelineIndexer, Replay |
| Integration | 5 | CLI, Zastava, Web, API, Registry |
| Infrastructure | 6 | Cryptography, Telemetry, Graph, Signals, AirGap, AOC |
| Testing & Benchmarks | 2 | Benchmark, Bench |
| Utility & Internal | 6+ | Cartographer, Findings, SrmRemote, Tools, PluginBinaries, etc. |
---
## 2. Complete Module Inventory
### Core Platform (3 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Authority** | `src/Authority/` | Authentication, authorization, OAuth/OIDC, DPoP, tenant management. Includes IssuerDirectory (Sprint 216). | Yes | No | PostgreSQL (`authority`) |
| **Router** | `src/Router/` | Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey) and HTTP ingress gateway. `src/Gateway/` deleted (Sprint 200). | Yes | No | Valkey |
| **Platform** | `src/Platform/` | Platform Service aggregation APIs, console data composition | Yes | No | Aggregates |
### Data Ingestion (4 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Concelier** | `src/Concelier/` | Vulnerability advisory ingestion (NVD, OSV, GHSA, CSAF), merge engine with AOC. Includes Feedser and Excititor (Sprint 203). | Yes | Yes | PostgreSQL (`vuln`, `vex`) |
| **VexLens** | `src/VexLens/` | VEX consensus computation across issuers, conflict analysis | Yes | No | PostgreSQL (cache) |
| **VexHub** | `src/VexHub/` | VEX distribution and exchange hub | Yes | No | PostgreSQL |
| **Mirror** | `src/Mirror/` | Vulnerability feed mirror and distribution | Yes | Yes | RustFS |
### Scanning & Analysis (4 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Scanner** | `src/Scanner/` | Container scanning with SBOM generation (11 language analyzers), call graphs. Includes Cartographer (Sprint 201). | Yes | Yes | PostgreSQL (`scanner`) + RustFS |
| **BinaryIndex** | `src/BinaryIndex/` | Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202). | Yes | No | PostgreSQL |
| **AdvisoryAI** | `src/AdvisoryAI/` | AI-assisted advisory analysis and summarization. Includes OpsMemory (Sprint 213). | Yes | No | PostgreSQL |
| **ReachGraph** | `src/ReachGraph/` | Reachability graph service, CVE reachability analysis | Yes | No | PostgreSQL |
### Artifacts & Evidence (5 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Attestor** | `src/Attestor/` | in-toto/DSSE attestation generation, Rekor v2 integration. Includes Signer and Provenance (Sprint 204). | Yes | No | PostgreSQL + RustFS |
| **SbomService** | `src/SbomService/` | SBOM storage, versioning, and lineage ledger | Yes | No | PostgreSQL + RustFS |
| **EvidenceLocker** | `src/EvidenceLocker/` | Sealed evidence storage and export | Yes | No | RustFS |
| **ExportCenter** | `src/ExportCenter/` | Batch export and report generation (SARIF, SBOM, evidence bundles) | Yes | No | RustFS |
| **Provcache** | Library | Provenance cache utilities | Library | N/A | N/A |
### Policy & Risk (3 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Policy** | `src/Policy/` | Policy engine with K4 lattice logic, confidence scoring, VEX emission | Yes | Yes | PostgreSQL (`policy`) |
| **Unknowns** | `src/Unknowns/` | Unknown component and symbol tracking registry (boundary preserved, Sprint 206) | Yes | No | PostgreSQL |
| **Findings** | `src/Findings/` | Centralized findings aggregation. Includes RiskEngine and VulnExplorer (Sprint 207). | Yes | No | PostgreSQL |
### Operations (5 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **JobEngine** | `src/JobEngine/` | Workflow orchestration, scheduling, task execution, pack registry. Includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). | Yes | Yes | PostgreSQL (`orchestrator`, `scheduler`) |
| **Notify** | `src/Notify/` | Notification toolkit (Email, Slack, Teams, Webhooks) - shared libraries. Boundary preserved with Notifier (Sprint 209). | Library | N/A | N/A |
| **Notifier** | `src/Notifier/` | Notifications Studio host (WebService + Worker). Boundary preserved with Notify (Sprint 209). | Yes | Yes | PostgreSQL (`notify`) |
| **Timeline** | `src/Timeline/` | Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). | Yes | No | PostgreSQL |
| **Replay** | `src/Replay/` | Deterministic replay engine | Yes | No | PostgreSQL |
### Integration (5 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **CLI** | `src/Cli/` | Command-line interface (Native AOT, multi-platform) | CLI | N/A | N/A |
| **Zastava** | `src/Zastava/` | Container registry webhook observer, admission control | Yes | No | PostgreSQL |
| **Web** | `src/Web/` | Angular 21 frontend SPA | Static | N/A | N/A |
| **API** | `src/Api/` | OpenAPI contracts and governance | Library | N/A | N/A |
| **Registry** | `src/Registry/` | Container registry integration, token service | Yes | No | PostgreSQL |
### Infrastructure (6 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Cryptography** | `src/Cryptography/` | Crypto plugins (FIPS, eIDAS, GOST, SM, PQ) | Library | N/A | N/A |
| **Telemetry** | `src/Telemetry/` | OpenTelemetry traces, metrics, logging | Library | N/A | N/A |
| **Graph** | `src/Graph/` | Call graph and reachability data structures | Library | N/A | N/A |
| **Signals** | `src/Signals/` | Runtime signal collection and correlation | Library | N/A | N/A |
| **AirGap** | `src/AirGap/` | Air-gapped deployment support, Offline Kit bundling | Yes | Yes | RustFS |
| **AOC** | `src/Aoc/` | Append-Only Contract enforcement (Roslyn analyzers) | Library | N/A | N/A |
### Testing & Benchmarks (2 modules)
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **Benchmark** | Scanner library | Competitive benchmarking (accuracy comparison) | Tool | N/A | N/A |
| **Bench** | `src/Bench/` | Performance benchmarks | Tool | N/A | N/A |
### Utility & Internal (4+ modules)
| Module | Path | Purpose | Notes |
|--------|------|---------|-------|
| **Findings** | `src/Findings/` | Materializes effective findings from Policy outputs. Includes RiskEngine and VulnExplorer (Sprint 207). | Feeds UI/CLI/Notify |
| **SmRemote** | `src/SmRemote/` | Remote SM2/SM3/SM4 cryptographic operations | Integration utility |
| **Tools** | `src/Tools/` | Utility programs (fixture generators, migration scripts). Includes Bench, Verifier, Sdk, DevPortal (Sprint 212). | Dev tooling |
| **PluginBinaries** | Various | Authority and Concelier plugin binaries | Plugin hosting |
---
## 3. Module Categories
### By Runtime Type
| Type | Modules |
|------|---------|
| **WebService + Worker** | Scanner, Concelier, Excititor, Policy, Notifier, TaskRunner, AirGap, Mirror |
| **WebService Only** | Authority, Gateway, Router, Platform, VexLens, VexHub, IssuerDirectory, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry |
| **Library** | Feedser, Provenance, Provcache, Notify, API, Cryptography, Telemetry, Graph, Signals, AOC |
| **CLI/Tool** | CLI, Benchmark, Bench, Tools |
| **Static** | Web (Angular SPA) |
### By Data Store
| Store | Modules |
|-------|---------|
| **PostgreSQL** | Authority, Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, Policy, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, TaskRunner, Notifier, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry |
| **RustFS (S3)** | Scanner, Attestor, SbomService, EvidenceLocker, ExportCenter, AirGap, Mirror |
| **Valkey** | Gateway, Router, Scanner, Policy, Scheduler, Notifier (for queues/cache) |
| **Stateless** | Gateway, Platform, CLI, Web |
### By Communication Pattern
| Pattern | Modules |
|---------|---------|
| **HTTP REST** | All WebService modules |
| **Binary Frame (Router)** | Gateway to all backend services |
| **Event Streams (Valkey/NATS)** | Scanner, Concelier, Excititor, Policy, Scheduler, Notifier |
| **Direct Library** | All Library modules |
---
## 4. Service Deployment Matrix
| Service | Container Image | Replicas | Storage | Queue | Observable |
|---------|-----------------|----------|---------|-------|------------|
| Authority | `stellaops/authority` | 2+ | PostgreSQL | Valkey (DPoP) | Yes |
| Gateway | `stellaops/gateway` | 2+ | Stateless | - | Yes |
| Scanner.Web | `stellaops/scanner-web` | 2+ | PostgreSQL + RustFS | - | Yes |
| Scanner.Worker | `stellaops/scanner-worker` | N | RustFS | Valkey/NATS | Yes |
| Concelier.Web | `stellaops/concelier-web` | 2+ | PostgreSQL | - | Yes |
| Concelier.Worker | `stellaops/concelier-worker` | N | PostgreSQL | Valkey/NATS | Yes |
| Policy.Engine | `stellaops/policy-engine` | 2+ | PostgreSQL | Valkey | Yes |
| Policy.Worker | `stellaops/policy-worker` | N | PostgreSQL | Valkey | Yes |
| Scheduler | `stellaops/scheduler` | 2+ | PostgreSQL | Valkey | Yes |
| Notifier | `stellaops/notifier` | 2+ | PostgreSQL | Valkey | Yes |
| ExportCenter | `stellaops/export-center` | 2+ | RustFS | - | Yes |
| Web (UI) | `stellaops/web` | 2+ | Static | - | Yes |
---
## 5. Module Dependencies
### Core Dependency Graph
```
+-------------+
| Authority |
+------+------+
|
+----------------------------+----------------------------+
| | |
v v v
+----------+ +----------+ +----------+
| Gateway |---------------->| Scanner |---------------->| Policy |
+----+-----+ +----+-----+ +----+-----+
| | |
| v v
| +----------+ +----------+
| | Concelier| | Signer |
| +----+-----+ +----+-----+
| | |
| v v
| +----------+ +----------+
| | Excititor| | Attestor|
| +----------+ +----------+
|
v
+----------+
| UI |
+----------+
```
### Key Integration Points
| From | To | Integration |
|------|----|-------------|
| Gateway | Authority | Token validation (JWKS) |
| Gateway | All Services | Binary frame routing |
| Scanner | Signer | SBOM signing |
| Scanner | Attestor | in-toto attestation |
| Policy | Concelier | Advisory data (read-only) |
| Policy | Excititor | VEX data (read-only) |
| Policy | Scanner | SBOM data (read-only) |
| Scheduler | Scanner | Trigger rescans |
| Scheduler | Concelier | Observe advisory deltas |
| Notifier | All Services | Consume events |
---
## Related Documentation
- [User Flows](user-flows.md)
- [Data Flows](data-flows.md)
- [Schema Mapping](schema-mapping.md)
- [Component Map](component-map.md)
- [Platform Topology](platform-topology.md)
Reference in New Issue View Git Blame Copy Permalink