git.stella-ops.org/docs/roadmap/maturity-model.md

Capability maturity model

This document defines what “shipped” means for StellaOps capabilities. Each area progresses through the same maturity levels; the concrete evidence differs by domain.

Maturity levels

Level	Meaning	Evidence posture
Foundation	Works end-to-end with deterministic outputs.	Golden fixtures, stable ordering, replay-friendly artifacts.
Hardened	Safe for regulated environments.	Isolation boundaries, audit trail, reproducible upgrades, operational runbooks.
Sovereign	Crypto + operations are independent by default.	Bring-your-own trust roots, offline bundles, configurable crypto profiles.
Ecosystem	Extensible and integrable without losing determinism.	Stable plugin/SDK contracts, compatibility suites, offline distribution story.

Scanning & SBOM

Level	What exists	Minimum evidence
Foundation	Deterministic SBOM generation and stable identifiers.	Fixture-backed scans producing byte-stable SBOMs and normalized findings.
Hardened	Deterministic “replay” of scans and decisions.	Replay test vectors and a documented, versioned artifact layout.
Sovereign	Offline-ready feeds and trust roots.	Fully air-gapped scan runbook and importer/controller workflows.
Ecosystem	Extensible analyzers and outputs.	Compatibility tests for plugins and exporters; no network required.

Advisory ingestion

Level	What exists	Minimum evidence
Foundation	Normalizers and deterministic merges into canonical stores.	Repeatable ingestion runs with stable IDs and ordering.
Hardened	Schema validation and drift controls.	Locked schemas, test fixtures, and failure modes documented.
Sovereign	Mirror-first and offline bundle imports.	Offline bundle format documented; import determinism verified.
Ecosystem	Connector library growth without regressions.	Connector conformance suite and fixture discipline.

VEX & verdicts

Level	What exists	Minimum evidence
Foundation	OpenVEX ingestion and stable verdict outcomes.	Deterministic merges, explainable reasoning, stable verdict IDs.
Hardened	Trust model and audit trail.	Trust lattice rules documented; replay tests for merges/verdicts.
Sovereign	Bring-your-own trust roots and issuer governance.	Offline trust root provisioning and rotation procedures.
Ecosystem	Multiple issuer ecosystems and integrations.	Compatibility tests and validated importer adapters.

Policy engine

Level	What exists	Minimum evidence
Foundation	Deterministic policy evaluation with consistent precedence.	Policy packs + golden decisions with stable ordering.
Hardened	Audit-grade policy traces.	Decision trace artifacts and replay tests for policy outputs.
Sovereign	Operator-controlled policy distribution.	Offline pack distribution and verification story.
Ecosystem	Policy contracts for third parties.	Compatibility suite and safe upgrade policy guarantees.

Offline kit & air-gap workflows

Level	What exists	Minimum evidence
Foundation	Documented offline concepts and supported workflows.	docs/24_OFFLINE_KIT.md plus importer/controller docs and examples.
Hardened	Deterministic imports and verified indexes.	Byte-stable indexes with reproducible hash outputs across machines.
Sovereign	Independent trust anchors and mirrors.	Trust-root provisioning docs and an air-gapped “day-2 ops” runbook.
Ecosystem	Third-party bundles and toolchain integrations.	Conformance tests and offline bundle validation tooling.

Operations, observability, and security

Level	What exists	Minimum evidence
Foundation	Clear service boundaries and deployment profiles.	Compose profiles and documented defaults.
Hardened	Runbooks, dashboards, and incident workflows.	Offline-importable dashboards and operational checklists.
Sovereign	Crypto agility and least-privilege by default.	Configurable crypto profiles and role/scopes documentation.
Ecosystem	Stable operator and SDK surfaces.	Versioned APIs and compatibility guarantees.