stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
63c70a6d3771012d01d395444915b5ab768e541b
git.stella-ops.org/docs/modules/README.md

45 KiB
Raw Blame History

StellaOps Module Documentation Index

This directory contains architecture documentation for all StellaOps modules.

Platform Statistics

Metric Count
Source modules 63
Documented modules 79
Runnable services (Program.cs) 47
Modules with workers 19
PostgreSQL databases 30
SQL migration files ~180
Total .csproj files 1,105

Module Categories

Core Platform

Module Path Description
Authority src/Authority/ Authentication, authorization, OAuth/OIDC, DPoP
Gateway src/Gateway/ API gateway with routing and transport abstraction
Router src/Router/ Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey). Note: also contains a StellaOps.Gateway.WebService for binary protocol bridging, separate from src/Gateway/.
Platform src/Platform/ Platform architecture and Platform Service aggregation APIs

Data Ingestion

Module Path Description
Concelier src/Concelier/ Vulnerability advisory ingestion and merge engine
Excititor src/Excititor/ VEX document ingestion and export
VexLens src/VexLens/ VEX consensus computation across issuers
VexHub src/VexHub/ VEX distribution and exchange hub
IssuerDirectory src/IssuerDirectory/ Issuer trust registry (CSAF publishers)
Feedser src/Feedser/ Evidence collection library for backport detection
Mirror src/Mirror/ Vulnerability feed mirror and distribution

Scanning & Analysis

Module Path Description
Scanner src/Scanner/ Container scanning with SBOM generation
BinaryIndex src/BinaryIndex/ Binary identity extraction and fingerprinting
AdvisoryAI src/AdvisoryAI/ AI-assisted advisory analysis
Symbols src/Symbols/ Symbol resolution and debug information
ReachGraph src/ReachGraph/ Reachability graph service

Artifacts & Evidence

Module Path Description
Attestor src/Attestor/ in-toto/DSSE attestation generation
Signer src/Signer/ Cryptographic signing operations
SbomService src/SbomService/ SBOM storage, versioning, and lineage ledger
EvidenceLocker src/EvidenceLocker/ Sealed evidence storage and export
ExportCenter src/ExportCenter/ Batch export and report generation
Provenance src/Provenance/ SLSA/DSSE attestation tooling
Provcache Library Production provenance cache shared library family

Policy & Risk

Module Path Description
Policy src/Policy/ Policy engine with K4 lattice logic
RiskEngine src/RiskEngine/ Risk scoring runtime
VulnExplorer src/VulnExplorer/ Vulnerability exploration and triage
Unknowns src/Unknowns/ Unknown component tracking registry
Findings src/Findings/ Centralized findings aggregation and evidence graphs

Release & Orchestration

Module Path Description
ReleaseOrchestrator src/ReleaseOrchestrator/ Central release control plane (active development)
Orchestrator src/Orchestrator/ Workflow orchestration and task coordination
Scheduler src/Scheduler/ Job scheduling and queue management
TaskRunner src/TaskRunner/ Task pack execution engine
PacksRegistry src/PacksRegistry/ Task packs registry
Remediation src/Remediation/ Fix template marketplace for CVE remediation

Operations & Observability

Module Path Description
Doctor src/Doctor/ Diagnostic framework for system health validation
Notify src/Notify/ Notification toolkit (Email, Slack, Teams, Webhooks)
Notifier src/Notifier/ Notifications Studio host
OpsMemory src/OpsMemory/ Decision ledger with similarity-based suggestions
Timeline src/Timeline/ Timeline query service for event browsing
TimelineIndexer src/TimelineIndexer/ Timeline event indexing
Replay src/Replay/ Deterministic replay engine

Integration & Clients

Module Path Description
CLI src/Cli/ Command-line interface (Native AOT)
Zastava src/Zastava/ Container registry webhook observer
Web/UI src/Web/ Angular 21 frontend SPA
API src/Api/ OpenAPI contracts and governance
Registry src/Registry/ Container registry integration
Integrations src/Integrations/ Integration hub for external systems (SCM, CI, registries, secrets)
Extensions src/Extensions/ IDE extensions for JetBrains and VS Code
Sdk src/Sdk/ Client SDK generator and release SDK
DevPortal src/DevPortal/ Developer portal static site

Infrastructure & Libraries

Module Path Description
Cryptography src/Cryptography/ Crypto plugins (FIPS, eIDAS, GOST, SM, PQ)
SmRemote src/SmRemote/ Remote SM2/SM3/SM4 cryptographic operations
Telemetry src/Telemetry/ OpenTelemetry traces, metrics, logging
Graph src/Graph/ Call graph and reachability data structures
Signals src/Signals/ Runtime signal collection and correlation
AirGap src/AirGap/ Air-gapped deployment support
AOC src/Aoc/ Append-Only Contract enforcement
Plugin src/Plugin/ Plugin SDK, registry, sandbox, and host framework
RuntimeInstrumentation src/RuntimeInstrumentation/ Tetragon-based eBPF runtime instrumentation
Cartographer src/Cartographer/ Infrastructure topology discovery
Facet Library Production cross-module faceting library (Scanner + Policy)

Testing & Benchmarks

Module Path Description
Benchmark Scanner library Competitive benchmarking (accuracy comparison)
Bench src/Bench/ Performance benchmarks
Tools src/Tools/ Developer utility tools (fixtures, golden pairs, smoke tests)
Verifier src/Verifier/ Standalone evidence bundle verification CLI

Cross-Cutting Concepts

Folder Purpose
Analytics Analytics capabilities (embedded in Platform)
Evidence Unified evidence model specification
Eventing Event envelope schemas and libraries
Snapshot Knowledge snapshot and replay concepts
Triage Vulnerability triage workflows
DevOps DevOps and CI/CD infrastructure
CI CI pipeline documentation
Reachability Reachability concepts (split between ReachGraph and Scanner)
SARIF Export SARIF export format (capability within ExportCenter)

Module Catalog

AdvisoryAI

  • Source: src/AdvisoryAI/
  • Docs: docs/modules/advisory-ai/
  • Type: Service
  • Database: PostgreSQL (2 SQL migrations: chat audit, knowledge search)
  • Endpoints: 7 (attestation, chat, evidence pack, knowledge search, LLM adapter, run, companion explain)

AI-powered advisory summarization and knowledge search service using LLM inference to explain vulnerability advisories, VEX evidence, and remediation guidance. Uses retrieval-augmented generation (RAG) over advisories, VEX, and platform documentation with configurable LLM backends (Claude, OpenAI, Ollama, Gemini). Includes chat audit logging, doctor-search controls, and guardrails for determinism and offline operation.

Dependencies: Concelier, VEX Lens / Excititor, Policy Engine, SBOM Service, LLM providers.

AirGap

  • Source: src/AirGap/
  • Docs: docs/modules/airgap/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 1 (AirGapEndpoints)

Air-gapped deployment controller, importer, and cryptographic time anchor enabling StellaOps operation in fully disconnected environments. Handles bundle import/export, trust verification, and sealed-mode enforcement. Time service provides cryptographic time anchors using Roughtime or RFC3161.

Dependencies: Authority, Concelier / Excititor, Signer / Attestor.

Aoc

  • Source: src/Aoc/
  • Docs: docs/modules/aoc/
  • Type: CLI / Library
  • Database: None
  • Endpoints: None

CLI tool and Roslyn analyzers enforcing the Aggregation-Only Contract (AOC) across the platform. Validates that ingestion services preserve raw upstream data without modification, maintain full provenance chains, and never merge conflicting observations.

Dependencies: None (standalone validation tool).

Api

  • Source: src/Api/
  • Docs: docs/modules/api/
  • Type: Library
  • Database: None
  • Endpoints: None

Shared API contracts, governance rules, and OpenAPI generation libraries used across all StellaOps services. Includes StellaOps.Api (core contracts), StellaOps.Api.Governance (validators), and StellaOps.Api.OpenApi (specification generation).

Dependencies: None (consumed as a library).

Attestor

  • Source: src/Attestor/
  • Docs: docs/modules/attestor/
  • Type: Service
  • Database: PostgreSQL (ProofChainDbContext, 10 SQL migrations)
  • Endpoints: 6 (verdict, predicate registry, core attestor, watchlist, and more)

Transparency-logged attestation service that submits DSSE envelopes to Rekor v2, retrieves inclusion proofs, and exposes verification APIs. Accepts DSSE only from the Signer over mTLS and enforces chain-of-trust to Stella Ops roots. Includes predicate type registry, identity watchlist, and trust verdict storage.

Dependencies: Signer, Rekor v2, Authority.

Authority

  • Source: src/Authority/
  • Docs: docs/modules/authority/
  • Type: Service
  • Database: PostgreSQL (7 SQL migrations)
  • Endpoints: 4+ (authorize, token, JWKS, discovery)

On-premises OIDC/OAuth2 identity service issuing short-lived, sender-constrained operational tokens (OpToks) with DPoP and mTLS binding. Supports RBAC scopes, multi-tenant claims with header-based tenant selection, deterministic validation, console admin endpoints, and LDAP/Standard client provisioning plugins.

Dependencies: Valkey (DPoP nonce store, token caching).

Bench

Performance benchmark harnesses (BenchmarkDotNet) for critical platform subsystems including Link-Not-Merge, VEX, Notify, Policy Engine, and Scanner analyzers. Results establish performance baselines and detect regressions.

Dependencies: None (standalone benchmarks).

BinaryIndex

  • Source: src/BinaryIndex/
  • Docs: docs/modules/binary-index/
  • Type: Service
  • Database: PostgreSQL (BinaryIndexDbContext, 5 SQL migrations)
  • Endpoints: Defined in WebService Program.cs

Vulnerable binaries database enabling detection of vulnerable code at the binary level, independent of package metadata, using fingerprint claims and delta signatures. Addresses unreliable package version strings (backports, custom builds, stripped metadata).

Dependencies: Scanner, Concelier.

Cartographer

Infrastructure topology discovery and service mapping for container environments. Produces SBOM snapshots and topology graphs consumed by the Graph Indexer. Environment topology and promotion lanes are now owned by the Release Orchestrator.

Dependencies: Graph, Scanner.

CLI

Command-line interface for driving StellaOps workflows including scanning, policy operations, VEX/vulnerability data pulls, verification, offline kit administration, knowledge search, and migration management. Supports build-time SBOM generation via Buildx orchestration and authenticates via Authority DPoP tokens.

Dependencies: Scanner.WebService, Authority, AdvisoryAI, Policy Engine, Concelier / Excititor, Signer / Attestor, Platform.

Concelier

  • Source: src/Concelier/
  • Docs: docs/modules/concelier/
  • Type: Service
  • Database: PostgreSQL (24 SQL migrations)
  • Endpoints: 9 (advisory source, air-gap, canonical advisory, federation, feed mirror, feed snapshot, interest score, mirror, SBOM)

Advisory ingestion and Link-Not-Merge (LNM) observation pipeline producing deterministic raw observations, correlation linksets, and evidence events. Acquires authoritative vulnerability advisories from vendor PSIRTs, distros, OSS ecosystems, and CERTs, persisting them as immutable observations under AOC.

Dependencies: Policy Engine, Excititor, Graph, AirGap, Feedser.

Cryptography

Pluggable cryptographic primitives supporting regional standards (eIDAS, FIPS, GOST, SM) with algorithm-agile signing operations. Plugins include HSM integration, ECDSA, and EdDSA signing profiles. All operations are deterministic and support offline operation.

Dependencies: None (consumed as a library by Signer, Attestor, and other services).

DevPortal

Developer portal static site providing API documentation, integration guides, SDK references, and getting-started tutorials. Aggregates OpenAPI specifications from all services for third-party developers and integrators.

Dependencies: None (static site).

Doctor

  • Source: src/Doctor/
  • Docs: docs/modules/doctor/
  • Type: Service
  • Database: None (uses Valkey for caching)
  • Endpoints: 3 (doctor, scheduler, timestamping)

Diagnostic framework for validating system health, configuration, integration connectivity, and OCI registry compatibility. Plugin-based architecture with binary analysis, notification validation, and observability probing. Integrates with AdvisoryAI knowledge search for diagnostic assistance.

Dependencies: All platform services (health check targets), external registries, AdvisoryAI.

EvidenceLocker

  • Source: src/EvidenceLocker/
  • Docs: docs/modules/evidence-locker/
  • Type: Service
  • Database: PostgreSQL (EvidenceDbContext, 5 SQL migrations)
  • Endpoints: 4 (evidence audit, evidence thread, export, verdict)

Tamper-proof, immutable evidence storage for vulnerability scan evidence, audit logs, and compliance artifacts with cryptographic sealing. Evidence is content-addressable. Once sealed, evidence cannot be modified. Supports threads, verdicts, bundle packaging, and portable bundles for offline compliance audits.

Dependencies: Signer, Attestor, Authority, object storage.

Excititor

  • Source: src/Excititor/
  • Docs: docs/modules/excititor/
  • Type: Service
  • Database: PostgreSQL (10 SQL migrations)
  • Endpoints: 11 (attestation, evidence, ingest, linkset, mirror, mirror registration, observation, policy, Rekor attestation, resolve, risk feed)

VEX ingestion and consensus pipeline converting heterogeneous VEX statements (OpenVEX, CSAF VEX, CycloneDX VEX) into immutable observations with provenance-preserving linksets. Does not decide PASS/FAIL; supplies evidence with statuses, justifications, and provenance weights. Conflicting observations are preserved unchanged.

Dependencies: Policy Engine, Concelier, Attestor / Signer, Graph.

ExportCenter

  • Source: src/ExportCenter/
  • Docs: docs/modules/export-center/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 15 (profile management, export runs, distribution, status, download)

Evidence and policy overlay packaging service producing reproducible, deterministic export bundles in multiple formats (JSON, SARIF, offline kit). Enforces AOC guardrails and produces deterministic manifests with optional signing and distribution to OCI registries or object storage.

Dependencies: Findings Ledger, Policy Engine, Orchestrator, Authority, Signer, object storage.

Extensions

IDE extensions for JetBrains IDEs and Visual Studio Code providing inline vulnerability information, policy status, and StellaOps workflow integration directly within the developer's editor environment.

Dependencies: Platform API.

Feedser

Evidence collection library for backport detection and binary fingerprinting supporting the four-tier backport proof system. Extracts patch signatures from unified diffs and binary fingerprints from compiled code. Consumed primarily by Concelier's ProofService layer. All outputs are deterministic with canonical JSON serialization.

Dependencies: None (consumed as a library by Concelier).

Findings

  • Source: src/Findings/
  • Docs: docs/modules/findings-ledger/
  • Type: Service
  • Database: PostgreSQL (via shared libraries)
  • Endpoints: 8 (backport, evidence graph, finding summary, reachability map, runtime timeline, runtime traces, scoring, webhook)

Centralized findings aggregation service providing backport tracking, evidence graphs, finding summaries, reachability maps, runtime timelines, scoring, and webhook notifications. Aggregates vulnerability findings from Scanner, Policy, Concelier, and Excititor into a unified query surface. Includes a LedgerReplayHarness tool for deterministic replay testing.

Dependencies: Scanner, Policy Engine, Concelier / Excititor, Attestor.

Gateway

  • Source: src/Gateway/
  • Docs: docs/modules/gateway/
  • Type: Service
  • Database: None (stateless)
  • Endpoints: None (reverse proxy)

Single HTTP ingress point for all external traffic providing authentication, routing, OpenAPI aggregation, health monitoring, rate limiting, and tenant propagation. A separate StellaOps.Gateway.WebService also exists under src/Router/ which serves as the transport-layer gateway for the Router's binary protocol.

Dependencies: Authority, Router, all microservices (proxied requests).

Graph

  • Source: src/Graph/
  • Docs: docs/modules/graph/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in Graph Indexer Persistence)
  • Endpoints: 3 (graph query, analytics, overlay)

SBOM dependency graph store with a rich node/edge model covering artifacts, SBOMs, components, advisories, VEX statements, and policy versions with reachability overlays. The Graph Indexer processes events from Cartographer/SBOM Service, Concelier/Excititor, and policy runs to maintain the graph.

Dependencies: Cartographer / SBOM Service, Concelier / Excititor, Policy Engine, Scanner.

Integrations

  • Source: src/Integrations/
  • Docs: docs/modules/integrations/
  • Type: Service
  • Database: PostgreSQL (IntegrationDbContext, EF Core managed)
  • Endpoints: 2

Integration hub managing connections to external systems (SCM, CI, registries, secrets vaults) with health monitoring. Stores connection profiles, manages credential references, and monitors integration health. Plugins under __Plugins provide specific connector implementations.

Dependencies: Authority, external SCM/CI/Registry/Vault systems.

IssuerDirectory

  • Source: src/IssuerDirectory/
  • Docs: docs/modules/issuer-directory/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 3 (issuer, issuer key, issuer trust)

Centralized trusted VEX/CSAF publisher metadata registry enabling issuer identity resolution, key management, and trust weight assignment. Key lifecycle management validates Ed25519, X.509, and DSSE public keys with fingerprint deduplication. On startup, imports default CSAF publishers into the global tenant.

Dependencies: Authority.

Mirror

  • Source: src/Mirror/
  • Docs: docs/modules/mirror/
  • Type: Library / Tool
  • Database: None
  • Endpoints: None

Vulnerability feed mirror and distribution utility for offline operation and reduced latency. Produces bundles for air-gapped distribution with cryptographic verification. Primary component is StellaOps.Mirror.Creator for assembling mirror bundles.

Dependencies: Upstream vulnerability feeds (NVD, OSV, GHSA), Concelier.

Notifier

  • Source: src/Notifier/
  • Docs: docs/modules/notifier/
  • Type: Service
  • Database: None (uses Notify's persistence layer)
  • Endpoints: 14 (escalation, fallback, incident, localization, observability, operator override, quiet hours, rule, security, simulation, storm breaker, template, throttle, notify API)

Notifications Studio host application composing the Notify toolkit libraries into a full-featured notification management service. Provides 73+ routes covering escalation policies, fallback routing, incident tracking, localization, security controls, simulation testing, storm breaking (anti-spam), and more.

Dependencies: Notify libraries, Authority, Slack/Teams/Email/Webhook channels.

Notify

  • Source: src/Notify/
  • Docs: docs/modules/notify/
  • Type: Service / Library
  • Database: PostgreSQL (2 SQL migrations)
  • Endpoints: 2 (via WebService Program.cs)

Rules-driven, tenant-aware notification engine providing event consumption, operator-defined routing, channel-specific rendering, and reliable delivery with idempotency, throttling, and digests. Foundation library consumed by the Notifier host application. Secrets for channels are referenced, not stored raw.

Dependencies: Scanner / Scheduler / Excititor / Concelier / Attestor / Zastava (event sources), Slack/Teams/Email/Webhook, Authority.

OpsMemory

  • Source: src/OpsMemory/
  • Docs: docs/modules/opsmemory/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure, schema managed programmatically)
  • Endpoints: 1 (OpsMemoryEndpoints)

Decision ledger capturing the lifecycle of security decisions with similarity-based suggestion retrieval for organizational learning. Uses similarity vectors to suggest relevant precedents for new situations. Deterministic with fixed similarity formulas, no randomness in ranking, and multi-tenant isolation.

Dependencies: AdvisoryAI, Authority.

Orchestrator

  • Source: src/Orchestrator/
  • Docs: docs/modules/orchestrator/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure)
  • Endpoints: 25 (approvals, audit, circuit breakers, DAG, dead letter, export jobs, first signal, health, jobs, KPIs, ledger, OpenAPI, pack registry, pack runs, quotas, governance, release control v2, release dashboard, releases, runs, scale, SLOs, sources, streams, workers)

Source and job orchestration service managing job lifecycle, rate-limit governance, DAG execution, circuit breakers, and worker coordination. Applies quotas and rate limits per tenant/jobType, manages leasing to workers, handles completion tracking with retry policies, and supports replay. SDK bridges exist for Go and Python workers.

Dependencies: TaskRunner, Concelier / Excititor / Scheduler / ExportCenter / Policy (job producers), Valkey or NATS, Authority.

PacksRegistry

  • Source: src/PacksRegistry/
  • Docs: docs/modules/packs-registry/
  • Type: Service
  • Database: PostgreSQL (PacksRegistryDbContext, EF Core managed)
  • Endpoints: Defined in WebService Program.cs

Centralized registry for distributable task packs, policy packs, and analyzer bundles with versioned management and integrity verification. All packs are content-addressed. Pack execution is handled by TaskRunner.

Dependencies: TaskRunner, object storage, Authority.

Platform

  • Source: src/Platform/
  • Docs: docs/modules/platform/
  • Type: Service
  • Database: PostgreSQL (57 SQL migrations, stellaops shared database)
  • Endpoints: 45+ (analytics, context, environment settings, evidence thread, federation telemetry, function map, integration read model, legacy alias, pack adapter, platform, policy interop, release control, release read model, score, security read model, topology read model, trust signing, and more)

Central platform service providing analytics, context management, environment settings, evidence threading, federation telemetry, function maps, integration health, release control, scoring, security, and topology read models. Largest module by migration count. Owns the migration consolidation framework (MigrationModuleRegistry, MigrationModulePluginDiscovery, MigrationModuleConsolidation).

Dependencies: Authority, all modules (migration coordination), PostgreSQL.

Plugin

  • Source: src/Plugin/
  • Docs: docs/modules/plugin/
  • Type: Library / Framework
  • Database: PostgreSQL (Plugin Registry, 1 SQL migration)
  • Endpoints: None

Plugin SDK, registry, sandbox, and host framework enabling extensibility across the platform. Includes Abstractions (contracts), Sdk (development SDK), Host (lifecycle management), Registry (PostgreSQL persistence), Sandbox (isolated execution), Cli (management tool), Testing (test harness), and Samples.

Dependencies: None (framework consumed by other modules).

Policy

  • Source: src/Policy/
  • Docs: docs/modules/policy/
  • Type: Service (Engine + Gateway)
  • Database: PostgreSQL (5 SQL migrations plus demo seed)
  • Endpoints: 59 (49 Engine + 10 Gateway)

Deterministic policy evaluation engine and gateway service compiling stella-dsl policy packs into verdicts by joining SBOM inventory, advisories, and VEX evidence. The Engine provides extensive coverage across advisory AI knobs, attestation reports, batch evaluation, budgets, conflicts, CVSS receipts, determinization, effective policy, merge previews, risk profiles/simulations, sealed mode, verification policy, and violation tracking. The Gateway handles admission decisions, deltas, exception approvals, gates, governance, and registry webhooks.

Dependencies: Concelier, Excititor, SBOM Service, Scanner, Authority, Scheduler.

Provenance

Provenance attestation library and CLI tool for generating and verifying supply-chain provenance records. Creates in-toto attestation statements linking build artifacts to source materials, build systems, and parameters. A separate provenance cache library exists at src/__Libraries/StellaOps.Provcache.Postgres/.

Dependencies: Signer, Attestor.

ReachGraph

  • Source: src/ReachGraph/
  • Docs: docs/modules/reach-graph/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in shared library)
  • Endpoints: Defined in Program.cs

Unified reachability subgraph store providing fast, deterministic, audit-ready answers about why a dependency is reachable. Consolidates reachability data from Scanner (call graphs), Signals (runtime observations), and Attestor (PoE JSON) into content-addressed artifacts with edge-level explainability.

Dependencies: Scanner, Signals, Attestor.

Registry

  • Source: src/Registry/
  • Docs: docs/modules/registry/
  • Type: Service
  • Database: None (stateless)
  • Endpoints: 2 (token issuance)

Docker registry bearer token service issuing short-lived tokens for private or mirrored registries with license/plan enforcement. Validates caller identity using Authority-issued tokens, authorizes requested registry scopes against a configured plan catalogue, and mints Docker-registry-compatible JWTs.

Dependencies: Authority.

ReleaseOrchestrator

  • Source: src/ReleaseOrchestrator/
  • Docs: docs/modules/release-orchestrator/
  • Type: Service (Active Development)
  • Database: PostgreSQL (planned, via Platform migrations)
  • Endpoints: 1

Central release control plane for non-Kubernetes container estates governing promotion across environments (Dev, Stage, Prod), enforcing security and policy gates, and producing verifiable evidence. Contains API, agents, apps, and libraries sub-directories with 140K+ lines of production code. Owns environment topology and promotion lanes.

Dependencies: Platform, Policy Engine, Scanner, Authority.

Remediation

Developer-facing signed-PR remediation marketplace enabling discovery, application, and verification of community-contributed fix templates for known CVEs. Templates include unified diff content, version range applicability, and trust scores. Tracks PR submission lifecycle with attestation evidence.

Dependencies: Scanner, Signer / Attestor, Authority.

Replay

  • Source: src/Replay/
  • Docs: docs/modules/replay/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure)
  • Endpoints: 2 (point-in-time query, verdict replay)

Deterministic replay engine ensuring vulnerability assessments can be reproduced byte-for-byte given the same inputs. Manages replay tokens (cryptographically bound to input digests), manifests, feed snapshots, and verification workflows. Stores content-addressed references, not actual data.

Dependencies: Policy Engine, Scanner, Concelier / Excititor.

RiskEngine

  • Source: src/RiskEngine/
  • Docs: docs/modules/risk-engine/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure)
  • Endpoints: 1 (exploit maturity)

Risk scoring runtime computing deterministic, explainable risk scores by aggregating signals from EPSS, CVSS, KEV, VEX, and reachability data. Produces audit trails and explainability payloads for every scoring decision. Does not make PASS/FAIL decisions; provides scores to the Policy Engine. Supports offline operation via factor bundles.

Dependencies: Concelier, Excititor, Signals, Policy Engine.

Router

  • Source: src/Router/
  • Docs: docs/modules/router/
  • Type: Service / Framework
  • Database: None
  • Endpoints: 4

Internal service transport using binary protocol (TCP/TLS/UDP) for microservice-to-gateway communication with pluggable transports. Includes a unified plugin, shared libraries, and example microservices. The Router's StellaOps.Gateway.WebService bridges binary protocol connections to HTTP; this is separate from src/Gateway/ which is the HTTP ingress gateway.

Dependencies: Gateway, all microservices, Valkey.

RuntimeInstrumentation

Tetragon-based runtime instrumentation library for eBPF-based process and syscall monitoring. Provides integration with Cilium Tetragon enabling observation of actual process execution, file access, and network activity at the kernel level for runtime evidence collection.

Dependencies: Tetragon (eBPF runtime), Zastava / Signals (evidence consumers).

SbomService

  • Source: src/SbomService/
  • Docs: docs/modules/sbom-service/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in Lineage persistence)
  • Endpoints: 5

Canonical SBOM projection, lookup, and timeline API serving deterministic, tenant-scoped SBOM data. Does not perform scanning; consumes Scanner outputs or supplied SPDX/CycloneDX blobs. SBOMs are append-only with mutations via new versions only. Owns the SBOM lineage ledger for versioned uploads, diffs, and retention pruning.

Dependencies: Scanner, Graph, AdvisoryAI, Policy Engine.

Scanner

  • Source: src/Scanner/
  • Docs: docs/modules/scanner/
  • Type: Service
  • Database: PostgreSQL (36 SQL migrations, multiple DbContexts including TriageDbContext)
  • Endpoints: 77 (EPSS, observability, reachability evidence, replay, score replay, unknowns, scan, and 71 more)

Deterministic SBOM generation and vulnerability scanning engine for container images and filesystems with three-way diffs, per-layer caching, and attestation hand-off. Emits Inventory and Usage views. Does not produce PASS/FAIL verdicts. Second-highest migration count covering scans, findings, call graphs, EPSS, smart diffs, unknowns, reachability, binary evidence, secret detection, runtime observations, and score history.

Dependencies: Signer, Attestor, Authority, object storage / RustFS, SBOM Service, Concelier / Excititor.

Scheduler

  • Source: src/Scheduler/
  • Docs: docs/modules/scheduler/
  • Type: Service
  • Database: PostgreSQL (11 SQL migrations)
  • Endpoints: 8 (event webhook, failure signature, graph job, policy run, policy simulation, run, schedule, resolver job)

Re-evaluation scheduler keeping scan results current by pinpointing affected images when new advisories or VEX claims arrive. Default mode is analysis-only (no image pull). Includes event webhooks, failure signature tracking, graph jobs, policy runs/simulations, and vulnerability resolver jobs.

Dependencies: Scanner.WebService, Policy Engine, Concelier / Excititor, Notify, Orchestrator.

Sdk

  • Source: src/Sdk/
  • Docs: docs/modules/sdk/
  • Type: Library / Code Generator
  • Database: None
  • Endpoints: None

Client SDK generator and release SDK for producing typed API clients across multiple languages from OpenAPI specifications. Includes StellaOps.Sdk.Generator (code generator) and StellaOps.Sdk.Release (publishing SDK).

Dependencies: Gateway / OpenAPI specs.

Signals

  • Source: src/Signals/
  • Docs: docs/modules/signals/
  • Type: Service
  • Database: PostgreSQL (6 SQL migrations)
  • Endpoints: 1 (SCM webhook)

Unified evidence-weighted scoring system aggregating reachability, runtime observations, backport detection, exploit intelligence, source trust, and mitigations into a single 0-100 score. Maintains determinism, provides score decomposition with explanations, and supports SCM webhook integration for change-triggered re-scoring.

Dependencies: Scanner, Concelier / Excititor, RuntimeInstrumentation, Policy Engine.

Signer

  • Source: src/Signer/
  • Docs: docs/modules/signer/
  • Type: Service
  • Database: PostgreSQL (KeyManagementDbContext, 2 SQL migrations)
  • Endpoints: 3 (ceremony, key rotation, signer)

The only service permitted to produce Stella Ops-verified DSSE signatures over SBOMs and reports, enforcing entitlement (PoE), sender-constrained auth, and supply-chain integrity. Does not push to Rekor (Attestor does). Stateless for the hot path with keys in KMS/HSM or ephemeral (keyless mode). Supports multi-algorithm signing (ECDSA, EdDSA, eIDAS, FIPS, GOST, SM).

Dependencies: Authority, Cryptography library, KMS/HSM.

SmRemote

  • Source: src/SmRemote/
  • Docs: docs/modules/sm-remote/
  • Type: Service
  • Database: None
  • Endpoints: Defined in Program.cs

Remote service for Chinese SM2/SM3/SM4 cryptographic operations enabling sovereign crypto compliance. Allows deployments requiring SM compliance to offload operations to a dedicated service rather than requiring SM crypto libraries on every host.

Dependencies: Cryptography Plugin.Sm.

Symbols

  • Source: src/Symbols/
  • Docs: docs/modules/symbols/
  • Type: Service
  • Database: None (content-addressed storage)
  • Endpoints: 1 (symbol source)

Symbol resolution and debug information management service for native binary analysis. Maps symbols to packages, manages debug information, and supports stripped binary analysis. Includes marketplace architecture for community-contributed symbol sources and offline symbol stores.

Dependencies: Scanner, BinaryIndex.

TaskRunner

  • Source: src/TaskRunner/
  • Docs: docs/modules/taskrunner/
  • Type: Service
  • Database: PostgreSQL (via infrastructure layer)
  • Endpoints: Defined in WebService/Worker Program.cs

Deterministic task pack execution engine with approvals, sealed-mode enforcement, evidence capture, and DSSE attestation for every completed run. Three-phase execution: Plan (build execution graph), optional Simulation (dry-run with gates), and Execution (verify plan hash, execute steps, stream logs). Operates offline/air-gapped.

Dependencies: Orchestrator, PacksRegistry, Authority, Signer / Attestor, object storage.

Telemetry

Observability library providing OpenTelemetry-based metrics, traces, and logs with Roslyn analyzers ensuring telemetry best practices. Supports multiple pipeline profiles (default, forensic, airgap) with allow-listed exporters for sovereign readiness. Forensic archives produce signed bundles of raw OTLP records.

Dependencies: Prometheus, Tempo/Jaeger, Loki.

Timeline

  • Source: src/Timeline/
  • Docs: docs/modules/timeline/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in Timeline.Core)
  • Endpoints: 3 (export, replay, timeline)

Timeline query service providing export, replay, and timeline browsing endpoints for vulnerability history and event streams. Uses shared libraries from StellaOps.Eventing for event envelope schemas and StellaOps.Timeline.Core for core logic including critical path view.

Dependencies: All services (event sources), TimelineIndexer.

TimelineIndexer

  • Source: src/TimelineIndexer/
  • Docs: docs/modules/timeline-indexer/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: Defined in WebService Program.cs

Timeline event indexing and query service providing fast indexed access to events across all StellaOps services. Receives events from NATS/Valkey streams, indexes them, and provides efficient time-range queries with filtering. Enables vulnerability history browsing, scan timeline analysis, and policy evaluation trail inspection.

Dependencies: NATS / Valkey, Timeline.

Tools

Developer utility tools including FixtureUpdater, GoldenPairs generator, LanguageAnalyzerSmoke, NotifySmokeCheck, PolicyDslValidator, PolicySchemaExporter, PolicySimulationSmoke, RustFsMigrator, WorkflowGenerator, and a Python CERT-Bund offline snapshot tool.

Dependencies: Various (tool-specific).

Unknowns

  • Source: src/Unknowns/
  • Docs: docs/modules/unknowns/
  • Type: Service
  • Database: PostgreSQL (UnknownsDbContext, 4 SQL migrations)
  • Endpoints: 2 (grey queue, unknowns)

Structured registry for tracking unresolved components, symbols, and incomplete mappings that Scanner and other analyzers cannot definitively identify. Includes a Grey Queue for lifecycle management (queueing, triage, resolution). Does not guess identities; records what cannot be determined.

Dependencies: Scanner, Signals.

Verifier

Standalone CLI tool for verifying the integrity and authenticity of signed evidence bundles produced by the platform. Validates DSSE envelope signatures, Merkle inclusion proofs, and bundle manifest checksums. Designed for operators and auditors who need independent verification without a full StellaOps installation.

Dependencies: None (standalone verification).

VexHub

  • Source: src/VexHub/
  • Docs: docs/modules/vex-hub/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 1 (VexHubEndpointExtensions)

VEX document hub providing centralized management, distribution, and integration of VEX statements across the platform. Stores VEX statements from various sources and distributes data to Excititor for processing.

Dependencies: Excititor, IssuerDirectory, Authority.

VexLens

  • Source: src/VexLens/
  • Docs: docs/modules/vex-lens/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 2 (export, VexLens)

VEX consensus viewer and analysis service providing issuer-aware VEX statement evaluation with export capabilities. Evaluates VEX statements from multiple issuers, computes consensus views considering trust weights and provenance, and integrates with IssuerDirectory for owner manifest resolution.

Dependencies: Excititor, IssuerDirectory, Policy Engine.

VulnExplorer

  • Source: src/VulnExplorer/
  • Docs: docs/modules/vuln-explorer/
  • Type: Service
  • Database: None (reads from other modules' databases)
  • Endpoints: Defined in Program.cs

Vulnerability exploration API providing rich querying, filtering, and analysis of vulnerability findings across the platform. Aggregates data from Scanner, Concelier, Excititor, Policy, and Signals to present a unified vulnerability view with concept-based navigation and evidence links.

Dependencies: Scanner, Concelier, Excititor, Policy Engine, Signals, Findings Ledger.

Web

  • Source: src/Web/
  • Docs: docs/modules/ui/
  • Type: UI (Angular SPA)
  • Database: None
  • Endpoints: None

Angular single-page application providing the operator console with vulnerability dashboard, release management, policy studio, evidence browser, SBOM exploration, notification management, and administrative controls. Includes search client APIs for knowledge search integration, smart diff visualization, AI UX patterns, and competitive triage workflows.

Dependencies: Gateway (API proxy), all backend APIs.

Zastava

  • Source: src/Zastava/
  • Docs: docs/modules/zastava/
  • Type: Service (three processes: Agent, Observer, Webhook)
  • Database: None (stateless agents)
  • Endpoints: Webhook endpoints, agent APIs defined in Program.cs

Runtime inspector and enforcer watching real workloads, detecting drift from scanned baselines, verifying image/SBOM/attestation posture, and optionally admitting/blocking deployments. Observer inventories containers and verifies signatures; Admission (optional Kubernetes webhook) enforces minimal posture pre-flight. On non-Kubernetes Docker hosts, runs as a host service with observer-only features.

Dependencies: Scanner.WebService, Policy Engine, Signals, Attestor, Authority.

Documentation Standards

Each module folder should contain:

File Purpose
README.md Quick overview, purpose, components
architecture.md Detailed architecture specification
AGENTS.md (Optional) Claude Code agent guidance
operations/ (Optional) Operational runbooks

See the Documentation Template Standard for the full architecture.md template.