git.stella-ops.org/docs/FEATURE_GAPS_REPORT.md

Feature Gaps Report - Stella Ops Suite

(Auto-generated during feature matrix completion)

This report documents:

1. Features discovered in code but not listed in FEATURE_MATRIX.md
2. CLI/UI coverage gaps for existing features

---

Batch 1: SBOM & Ingestion

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
SPDX 3.0 Build Attestation	Attestor	BuildAttestationMapper.cs, DsseSpdx3Signer.cs, CombinedDocumentBuilder.cs	-	-	Attestation & Signing
CycloneDX CBOM Support	Scanner	CycloneDxCbomWriter.cs	-	-	SBOM & Ingestion
Trivy DB Export (Offline)	Concelier	TrivyDbExporterPlugin.cs, TrivyDbOrasPusher.cs, TrivyDbExportPlanner.cs	stella db export trivy	-	Offline & Air-Gap
Layer SBOM Composition	Scanner	SpdxLayerWriter.cs, CycloneDxLayerWriter.cs, LayerSbomService.cs	stella sbomer layer, stella scan layer-sbom	-	SBOM & Ingestion
SBOM Advisory Matching	Concelier	SbomAdvisoryMatcher.cs, SbomRegistryService.cs, ValkeyPurlCanonicalIndex.cs	-	-	Advisory Sources
Graph Lineage Service	Graph	IGraphLineageService.cs, InMemoryGraphLineageService.cs, LineageContracts.cs	-	/graph	SBOM & Ingestion
Evidence Cards (SBOM excerpts)	Evidence.Pack	IEvidenceCardService.cs, EvidenceCardService.cs, EvidenceCard.cs	-	Evidence drawer	Evidence & Findings
AirGap SBOM Parsing	AirGap	SpdxParser.cs, CycloneDxParser.cs	-	/ops/offline-kit	Offline & Air-Gap
SPDX License Normalization	Scanner	SpdxLicenseNormalizer.cs, SpdxLicenseExpressions.cs, SpdxLicenseList.cs	-	-	Scanning & Detection
SBOM Format Conversion	Scanner	SpdxCycloneDxConverter.cs	-	-	SBOM & Ingestion
SBOM Validation Pipeline	Scanner	SbomValidationPipeline.cs, SemanticSbomExtensions.cs	-	-	SBOM & Ingestion
CycloneDX Evidence Mapping	Scanner	CycloneDxEvidenceMapper.cs	-	-	SBOM & Ingestion
CycloneDX Pedigree Mapping	Scanner	CycloneDxPedigreeMapper.cs	-	-	SBOM & Ingestion
SBOM Snapshot Export	Graph	SbomSnapshot.cs, SbomSnapshotExporter.cs	-	-	Evidence & Findings
Lineage Evidence Packs	ExportCenter	ILineageEvidencePackService.cs, LineageEvidencePack.cs, LineageExportEndpoints.cs	-	/triage/audit-bundles	Evidence & Findings

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Delta-SBOM Cache	SbomService	No	No	Internal optimization - no action needed
SBOM Lineage Ledger	SbomService	No	Yes	Add stella sbom lineage list/show commands
SBOM Lineage API	SbomService	No	Yes	Add stella sbom lineage export command
SPDX 3.0 Build Attestation	Attestor	No	No	Add to Attestation & Signing matrix section
Graph Lineage Service	Graph	No	Yes	Consider stella graph lineage command
Trivy DB Export	Concelier	Partial	No	stella db export trivy exists but may need UI

---

Batch 2: Scanning & Detection

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
Secrets Detection (Regex+Entropy)	Scanner	SecretsAnalyzer.cs, RegexDetector.cs, EntropyDetector.cs, CompositeSecretDetector.cs	stella scan run	/findings	Scanning & Detection
OS Analyzers - Dpkg (Debian/Ubuntu)	Scanner	DpkgPackageAnalyzer.cs, DpkgStatusParser.cs	stella scan run	/findings	Scanning & Detection
OS Analyzers - Apk (Alpine)	Scanner	ApkPackageAnalyzer.cs, ApkDatabaseParser.cs	stella scan run	/findings	Scanning & Detection
OS Analyzers - RPM (RHEL/CentOS)	Scanner	RpmPackageAnalyzer.cs	stella scan run	/findings	Scanning & Detection
OS Analyzers - Homebrew (macOS)	Scanner	HomebrewPackageAnalyzer.cs	stella scan run	/findings	Scanning & Detection
OS Analyzers - macOS Bundles	Scanner	MacOsBundleAnalyzer.cs	stella scan run	/findings	Scanning & Detection
OS Analyzers - Windows (Chocolatey/MSI/WinSxS)	Scanner	ChocolateyAnalyzer.cs, MsiAnalyzer.cs, WinSxSAnalyzer.cs	stella scan run	/findings	Scanning & Detection
Symbol-Level Vulnerability Matching	Scanner	VulnSurfaceService.cs, AdvisorySymbolMapping.cs, AffectedSymbol.cs	-	-	Scanning & Detection
SARIF 2.1.0 Export	Scanner	SARIF export in CLI	stella scan sarif	-	Scanning & Detection
Fidelity Upgrade (Quick->Standard->Deep)	Scanner	FidelityAwareAnalyzer.UpgradeFidelityAsync()	-	-	Scanning & Detection
OCI Multi-Architecture Support	Scanner	OciImageInspector.cs (amd64, arm64, etc.)	stella image inspect	-	Scanning & Detection
Symlink Resolution (32-level depth)	Scanner	LayeredRootFileSystem.cs	-	-	Scanning & Detection
Whiteout File Support	Scanner	LayeredRootFileSystem.cs	-	-	Scanning & Detection
NATS/Redis Scan Queue	Scanner	NatsScanQueue.cs, RedisScanQueue.cs	-	/ops/scanner	Operations
Determinism Controls	Scanner	DeterminismContext.cs, DeterministicTimeProvider.cs, DeterministicRandomProvider.cs	stella scan replay	/ops/scanner	Determinism & Reproducibility
Lease-Based Job Processing	Scanner	LeaseHeartbeatService.cs, ScanJobProcessor.cs	-	-	Operations

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
License-Risk Detection	Scanner	No	No	Planned Q4-2025 - not yet implemented
Secrets Detection	Scanner	Implicit	Implicit	Document in matrix (runs automatically during scan)
OS Package Analyzers	Scanner	Implicit	Implicit	Document in matrix (6 OS-level analyzers)
Symbol-Level Matching	Scanner	No	No	Advanced feature - consider exposing in findings detail
SARIF Export	Scanner	Yes	No	Consider adding SARIF download in UI
Concurrent Worker Config	Scanner	No	Yes	CLI option for worker count would help CI/CD

---

Batch 3: Reachability Analysis

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
8-State Reachability Lattice	Reachability.Core	ReachabilityLattice.cs (28 state transitions)	-	/reachability	Reachability Analysis
Confidence Calculator	Reachability.Core	ConfidenceCalculator.cs (path/guard/hit bonuses)	-	-	Reachability Analysis
Evidence Weighted Score (EWS)	Signals	EvidenceWeightedScoreCalculator.cs (6 dimensions: RCH/RTS/BKP/XPL/SRC/MIT)	-	-	Scoring & Risk
Attested Reduction Scoring	Signals	VEX anchoring with short-circuit rules	-	-	Scoring & Risk
Hybrid Reachability Query	Reachability.Core	IReachabilityIndex.cs (static/runtime/hybrid/batch modes)	stella reachgraph slice	/reachability	Reachability Analysis
Reachability Replay/Verify	ReachGraph	IReachabilityReplayService.VerifyAsync()	stella reachgraph replay/verify	-	Determinism & Reproducibility
Graph Triple-Layer Storage	ReachGraph	ReachGraphStoreService.cs (Cache->DB->Archive)	-	-	Operations
Per-Graph Signing	ReachGraph	SHA256 artifact/provenance digests	-	-	Attestation & Signing
GraphViz/Mermaid Export	CLI	stella reachability show --format dot/mermaid	stella reachability show	-	Reachability Analysis
Reachability Drift Alerts	Docs	19-reachability-drift-alert-flow.md (state transition monitoring)	stella drift	-	Reachability Analysis
Evidence URIs	ReachGraph	stella://reachgraph/{digest}/slice/{symbolId} format	-	-	Evidence & Findings
Environment Guard Detection	Scanner	20+ patterns (process.env, sys.platform, etc.)	-	/reachability	Reachability Analysis
Dynamic Loading Detection	Scanner	require(variable), import(variable), Class.forName()	-	-	Reachability Analysis
Reflection Call Detection	Scanner	Confidence scoring 0.5-0.6 for dynamic paths	-	-	Reachability Analysis
EWS Guardrails	Signals	Speculative cap (45), not-affected cap (15), runtime floor (60)	-	-	Scoring & Risk

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Runtime Signal Correlation	Signals	No	Yes	Add stella signals inspect command
Gate Detection	Scanner	No	Yes	Consider stella reachability guards command
Path Witness Generation	ReachGraph	Yes	No	Add witness path visualization in UI
Confidence Calculator	Reachability.Core	No	No	Internal implementation - consider exposing in findings
Evidence Weighted Score	Signals	No	Partial	Add stella score explain command
Graph Triple-Layer Storage	ReachGraph	No	No	Ops concern - consider admin commands

---

Batch 4: Binary Analysis

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
4 Fingerprint Algorithm Types	BinaryIndex	BasicBlockFingerprintGenerator.cs, ControlFlowGraphFingerprintGenerator.cs, StringRefsFingerprintGenerator.cs	stella binary fingerprint	-	Binary Analysis
Alpine Corpus Support	BinaryIndex	AlpineCorpusConnector.cs	-	-	Binary Analysis
VEX Evidence Bridge	BinaryIndex	IVexEvidenceGenerator.cs	-	-	VEX Processing
Delta Signature Matching	BinaryIndex	LookupByDeltaSignatureAsync()	stella deltasig	-	Binary Analysis
Symbol Hash Matching	BinaryIndex	LookupBySymbolHashAsync()	stella binary symbols	-	Binary Analysis
Corpus Function Identification	BinaryIndex	IdentifyFunctionFromCorpusAsync()	-	-	Binary Analysis
Binary Call Graph Extraction	BinaryIndex	binary callgraph command	stella binary callgraph	-	Binary Analysis
3-Tier Identification Strategy	BinaryIndex	Package/Build-ID/Fingerprint tiers	-	-	Binary Analysis
Fingerprint Validation Stats	BinaryIndex	FingerprintValidationStats.cs (TP/FP/TN/FN)	-	-	Binary Analysis
Changelog CVE Parsing	BinaryIndex	DebianChangelogParser.cs (CVE pattern extraction)	-	-	Binary Analysis
Secfixes Parsing	BinaryIndex	ISecfixesParser.cs (Alpine format)	-	-	Binary Analysis
Batch Binary Operations	BinaryIndex	All lookup methods support batching	-	-	Binary Analysis
Binary Match Confidence Scoring	BinaryIndex	0.0-1.0 confidence for all matches	-	-	Binary Analysis
Architecture-Aware Filtering	BinaryIndex	Match filtering by architecture	-	-	Binary Analysis

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Alpine Corpus	BinaryIndex	No	No	Add to matrix as additional corpus
Corpus Ingestion UI	BinaryIndex	No	No	Consider admin UI for corpus management
VEX Evidence Bridge	BinaryIndex	No	No	Internal integration - document in VEX section
Fingerprint Visualization	BinaryIndex	Yes	No	Consider UI for function fingerprint display
Batch Operations	BinaryIndex	No	No	Internal API - consider batch CLI commands
Delta Signatures	BinaryIndex	Yes	No	Consider UI integration for patch detection

---

Batch 5: Advisory Sources

Discovered Features (Not in Matrix)

CRITICAL: Matrix lists 11 sources, but codebase has 33+ connectors!

Feature	Module	Key Files	CLI	UI	Suggested Category
SUSE Connector	Concelier	Connector.Distro.Suse/	stella db fetch suse	-	Advisory Sources
Astra Linux Connector	Concelier	Connector.Astra/ (FSTEC-certified Russian)	stella db fetch astra	-	Advisory Sources
Microsoft MSRC	Concelier	vndr.msrc vendor connector	-	-	Advisory Sources
Oracle Connector	Concelier	vndr.oracle vendor connector	-	-	Advisory Sources
Adobe Connector	Concelier	vndr.adobe vendor connector	-	-	Advisory Sources
Apple Connector	Concelier	vndr.apple vendor connector	-	-	Advisory Sources
Cisco Connector	Concelier	vndr.cisco vendor connector	-	-	Advisory Sources
Chromium Connector	Concelier	vndr.chromium vendor connector	-	-	Advisory Sources
VMware Connector	Concelier	vndr.vmware vendor connector	-	-	Advisory Sources
JVN (Japan) CERT	Concelier	Connector.Jvn/	-	-	Advisory Sources
ACSC (Australia) CERT	Concelier	Connector.Acsc/	-	-	Advisory Sources
CCCS (Canada) CERT	Concelier	Connector.Cccs/	-	-	Advisory Sources
CertFr (France) CERT	Concelier	Connector.CertFr/	-	-	Advisory Sources
CertBund (Germany) CERT	Concelier	Connector.CertBund/	-	-	Advisory Sources
CertCc CERT	Concelier	Connector.CertCc/	-	-	Advisory Sources
CertIn (India) CERT	Concelier	Connector.CertIn/	-	-	Advisory Sources
RU-BDU (Russia) CERT	Concelier	Connector.Ru.Bdu/	-	-	Advisory Sources
RU-NKCKI (Russia) CERT	Concelier	Connector.Ru.Nkcki/	-	-	Advisory Sources
KISA (South Korea) CERT	Concelier	Connector.Kisa/	-	-	Advisory Sources
ICS-CISA (Industrial)	Concelier	Connector.Ics.Cisa/	-	-	Advisory Sources
ICS-Kaspersky (Industrial)	Concelier	Connector.Ics.Kaspersky/	-	-	Advisory Sources
StellaOpsMirror (Internal)	Concelier	Connector.StellaOpsMirror/	-	-	Advisory Sources
Backport-Aware Precedence	Concelier	ConfigurableSourcePrecedenceLattice.cs	-	-	Advisory Sources
Link-Not-Merge Architecture	Concelier	Transitioning from merge to observation/linkset	-	-	Advisory Sources
Canonical Deduplication	Concelier	ICanonicalAdvisoryService, CanonicalMerger.cs	-	-	Advisory Sources
Change History Tracking	Concelier	IChangeHistoryStore (field-level diffs)	-	-	Advisory Sources
Feed Epoch Events	Concelier	FeedEpochAdvancedEvent (Provcache invalidation)	-	-	Advisory Sources
JSON Exporter	Concelier	Exporter.Json/ (manifest-driven export)	stella db export json	-	Offline & Air-Gap
Trivy DB Exporter	Concelier	Exporter.TrivyDb/	stella db export trivy	-	Offline & Air-Gap

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
22+ Connectors Missing from Matrix	Concelier	Partial	No	ADD TO MATRIX - major documentation gap
Vendor PSIRTs (7 connectors)	Concelier	No	No	Add vendor section to matrix
Regional CERTs (11 connectors)	Concelier	No	No	Add regional CERT section to matrix
Industrial/ICS (2 connectors)	Concelier	No	No	Add ICS section to matrix
Link-Not-Merge Transition	Concelier	No	No	Document new architecture in matrix
Backport Precedence	Concelier	No	No	Document in merge engine section
Change History	Concelier	No	No	Consider audit trail UI

Matrix Update Recommendations

The FEATURE_MATRIX.md seriously underrepresents Concelier capabilities:

• Listed: 11 sources
• Actual: 33+ connectors

Recommended additions:

1. Add "Vendor PSIRTs" section (Microsoft, Oracle, Adobe, Apple, Cisco, Chromium, VMware)
2. Add "Regional CERTs" section (JVN, ACSC, CCCS, CertFr, CertBund, CertIn, RU-BDU, KISA, etc.)
3. Add "Industrial/ICS" section (ICS-CISA, ICS-Kaspersky)
4. Add "Additional Distros" section (SUSE, Astra Linux)
5. Document backport-aware precedence configuration

---

Batch 6: VEX Processing

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
VEX Consensus Engine (5-state lattice)	VexLens	VexConsensusEngine.cs, IVexConsensusEngine.cs	stella vex consensus	/vex	VEX Processing
Trust Decay Service	VexLens	TrustDecayService.cs, TrustDecayCalculator.cs	-	-	VEX Processing
Noise Gate Service	VexLens	NoiseGateService.cs	-	/vex	VEX Processing
Consensus Rationale Service	VexLens	IConsensusRationaleService.cs, ConsensusRationaleModels.cs	-	/vex	VEX Processing
VEX Linkset Extraction	Excititor	VexLinksetExtractionService.cs	-	-	VEX Processing
VEX Linkset Disagreement Detection	Excititor	VexLinksetDisagreementService.cs	-	/vex	VEX Processing
VEX Statement Backfill	Excititor	VexStatementBackfillService.cs	-	-	VEX Processing
VEX Evidence Chunking	Excititor	VexEvidenceChunkService.cs	-	-	VEX Processing
Auto-VEX Downgrade	Excititor	AutoVexDowngradeService.cs	-	-	VEX Processing
Risk Feed Service	Excititor	RiskFeedService.cs, RiskFeedEndpoints.cs	-	-	VEX Processing
Trust Calibration Service	Excititor	TrustCalibrationService.cs	-	-	VEX Processing
VEX Hashing Service (deterministic)	Excititor	VexHashingService.cs	-	-	VEX Processing
CSAF Provider Connectors (7 total)	Excititor	Connectors.*.CSAF/ (RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE)	-	-	VEX Processing
OCI OpenVEX Attestation Connector	Excititor	Connectors.OCI.OpenVEX.Attest/	-	-	VEX Processing
Issuer Key Lifecycle Management	IssuerDirectory	Key create/rotate/revoke endpoints	-	/issuer-directory	VEX Processing
Issuer Trust Override	IssuerDirectory	Trust override endpoints	-	/issuer-directory	VEX Processing
CSAF Publisher Bootstrap	IssuerDirectory	csaf-publishers.json seeding	-	-	VEX Processing
VEX Webhook Distribution	VexHub	IWebhookService.cs, IWebhookSubscriptionRepository.cs	-	-	VEX Processing
VEX Conflict Flagging	VexHub	IStatementFlaggingService.cs	-	-	VEX Processing
VEX from Drift Generation	CLI	VexGenCommandGroup.cs	stella vex gen --from-drift	-	VEX Processing
VEX Decision Signing	Policy	VexDecisionSigningService.cs	-	-	Policy Engine
VEX Proof Spine	Policy	VexProofSpineService.cs	-	-	Policy Engine
Consensus Propagation Rules	VexLens	IPropagationRuleEngine.cs	-	-	VEX Processing
Consensus Delta Computation	VexLens	VexDeltaComputeService.cs	-	-	VEX Processing
Triple-Layer Consensus Storage	VexLens	Cache->DB->Archive with IConsensusProjectionStore.cs	-	-	Operations

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
CSAF Provider Connectors	Excititor	No	No	Consider connector status UI in ops
Trust Weight Configuration	VexLens	No	Partial	Add stella vex trust configure command
VEX Distribution Webhooks	VexHub	No	No	Add webhook management UI/CLI
Conflict Resolution	VexLens	No	Partial	Interactive conflict resolution needed
Issuer Key Management	IssuerDirectory	No	Yes	Add stella issuer keys CLI
Risk Feed Distribution	Excititor	No	No	Consider risk feed CLI
Consensus Replay/Verify	VexLens	No	No	Add stella vex verify command
VEX Evidence Export	Excititor	No	No	Add stella vex evidence export

Matrix Update Recommendations

The FEATURE_MATRIX.md VEX section is significantly underspecified:

• Listed: Basic VEX support (OpenVEX, CSAF, CycloneDX)
• Actual: Full consensus engine with 5-state lattice, 9 trust factors, 7 CSAF connectors, conflict detection, issuer registry

Recommended additions:

1. Add "VEX Consensus Engine" as major feature (VexLens)
2. Add "Trust Weight Scoring" with 9 factors documented
3. Add "CSAF Provider Connectors" section (7 vendors)
4. Add "Issuer Trust Registry" (IssuerDirectory)
5. Add "VEX Distribution" (VexHub webhooks)
6. Document AOC (Aggregation-Only Contract) compliance
7. Add "VEX from Drift" generation capability

---

Batch 7: Policy Engine

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
K4 Lattice (Belnap Four-Valued Logic)	Policy	K4Lattice.cs, TrustLatticeEngine.cs, ClaimScoreMerger.cs	-	/policy	Policy Engine
10+ Policy Gate Types	Policy	PolicyGateEvaluator.cs, various *Gate.cs files	-	/policy	Policy Engine
Uncertainty Score Calculator	Policy.Determinization	UncertaintyScoreCalculator.cs (entropy 0.0-1.0)	-	-	Policy Engine
Decayed Confidence Calculator	Policy.Determinization	DecayedConfidenceCalculator.cs (14-day half-life)	-	-	Policy Engine
6 Evidence Types	Policy.Determinization	BackportEvidence.cs, CvssEvidence.cs, EpssEvidence.cs, etc.	-	-	Policy Engine
6 Risk Score Providers	RiskEngine	CvssKevProvider.cs, EpssProvider.cs, FixChainRiskProvider.cs	-	/risk	Scoring & Risk
FixChain Risk Metrics	RiskEngine	FixChainRiskMetrics.cs, FixChainRiskDisplay.cs	-	-	Scoring & Risk
Exception Effect Registry	Policy	ExceptionEffectRegistry.cs, ExceptionAdapter.cs	-	/policy/exceptions	Policy Engine
Exception Approval Rules	Policy	IExceptionApprovalRulesService.cs	-	/policy/exceptions	Policy Engine
Policy Simulation Service	Policy.Registry	IPolicySimulationService.cs	stella policy simulate	/policy/simulate	Policy Engine
Policy Promotion Pipeline	Policy.Registry	IPromotionService.cs, IPublishPipelineService.cs	-	-	Policy Engine
Review Workflow Service	Policy.Registry	IReviewWorkflowService.cs	-	-	Policy Engine
Sealed Mode Service	Policy	ISealedModeService.cs	-	/ops	Offline & Air-Gap
Verdict Attestation Service	Policy	IVerdictAttestationService.cs	-	-	Attestation & Signing
Policy Decision Attestation	Policy	IPolicyDecisionAttestationService.cs (DSSE/Rekor)	-	-	Attestation & Signing
Score Policy YAML Config	Policy	ScorePolicyModels.cs, ScorePolicyLoader.cs	stella policy validate	/policy	Policy Engine
Profile-Aware Scoring	Policy.Scoring	ProfileAwareScoringService.cs, ScoringProfileService.cs	-	-	Policy Engine
Freshness-Aware Scoring	Policy	FreshnessAwareScoringService.cs	-	-	Policy Engine
Jurisdiction Trust Rules	Policy.Vex	JurisdictionTrustRules.cs	-	-	Policy Engine
VEX Customer Override	Policy.Vex	VexCustomerOverride.cs	-	-	Policy Engine
Attestation Report Service	Policy	IAttestationReportService.cs	-	-	Attestation & Signing
Risk Scoring Trigger Service	Policy.Scoring	RiskScoringTriggerService.cs	-	-	Scoring & Risk
Policy Lint Endpoint	Policy	/policy/lint	-	-	Policy Engine
Policy Determinism Verification	Policy	/policy/verify-determinism	-	-	Determinism & Reproducibility
AdvisoryAI Knobs Endpoint	Policy	/policy/advisory-ai/knobs	-	-	Policy Engine
Stability Damping Gate	Policy	StabilityDampingGate.cs	-	-	Policy Engine

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
K4 Lattice Operations	Policy	No	Partial	Add stella policy lattice explain for debugging
Risk Provider Configuration	RiskEngine	No	No	Provider configuration needs CLI/UI exposure
Exception Approval Workflow	Policy	No	Yes	Add stella policy exception approve/reject CLI
Determinization Signal Weights	Policy	No	No	Allow signal weight tuning via CLI/config
Policy Pack Promotion	Policy.Registry	No	Partial	Add stella policy promote CLI
Score Policy Tuning	Policy.Scoring	Partial	Partial	Expand stella policy commands
Verdict Attestation Export	Policy	No	No	Add stella policy verdicts export
Risk Scoring History	RiskEngine	No	Partial	Consider historical trend CLI

Matrix Update Recommendations

The FEATURE_MATRIX.md Policy section covers basics but misses advanced features:

• Listed: Basic policy evaluation, exceptions
• Actual: Full K4 lattice, 10+ gate types, 6 risk providers, determinization system

Recommended additions:

1. Add "K4 Lattice Logic" as core feature (Belnap four-valued logic)
2. Add "Policy Gate Types" section (10+ specialized gates)
3. Add "Risk Score Providers" section (6 providers with distinct purposes)
4. Add "Determinization System" (signal weights, decay, uncertainty)
5. Add "Score Policy Configuration" (YAML-based policy tuning)
6. Add "Policy Simulation" as distinct feature
7. Add "Verdict Attestations" (DSSE/Rekor integration)
8. Document "Sealed Mode" for air-gap operations

---

Batch 8: Attestation & Signing

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
25+ Predicate Types	Attestor	StellaOps.Attestor.ProofChain/Predicates/	-	-	Attestation & Signing
Keyless Signing (Fulcio)	Signer	KeylessDsseSigner.cs, HttpFulcioClient.cs	stella sign keyless	-	Attestation & Signing
Ephemeral Key Generation	Signer.Keyless	EphemeralKeyGenerator.cs, EphemeralKeyPair.cs	-	-	Attestation & Signing
OIDC Token Provider	Signer.Keyless	IOidcTokenProvider.cs, AmbientOidcTokenProvider.cs	-	-	Attestation & Signing
Key Rotation Service	Signer.KeyManagement	IKeyRotationService.cs, KeyRotationService.cs	/keys/rotate API	-	Attestation & Signing
Trust Anchor Manager	Signer.KeyManagement	ITrustAnchorManager.cs, TrustAnchorManager.cs	-	-	Attestation & Signing
Delta Attestations (4 types)	Attestor	IDeltaAttestationService.cs (VEX/SBOM/Verdict/Reachability)	-	-	Attestation & Signing
Layer Attestation Service	Attestor	ILayerAttestationService.cs	-	-	Attestation & Signing
Attestation Chain Builder	Attestor	AttestationChainBuilder.cs, AttestationChainValidator.cs	-	-	Attestation & Signing
Attestation Link Store	Attestor	IAttestationLinkStore.cs, IAttestationLinkResolver.cs	-	-	Attestation & Signing
Rekor Submission Queue	Attestor	IRekorSubmissionQueue.cs (durable retry)	-	-	Attestation & Signing
Cached Verification Service	Attestor	CachedAttestorVerificationService.cs	-	-	Attestation & Signing
Offline Bundle Service	Attestor	IAttestorBundleService.cs	-	/ops/offline-kit	Offline & Air-Gap
Signer Quota Service	Signer	ISignerQuotaService.cs	-	-	Operations
Signer Audit Sink	Signer	ISignerAuditSink.cs, InMemorySignerAuditSink.cs	-	-	Operations
Proof of Entitlement	Signer	IProofOfEntitlementIntrospector.cs (JWT/MTLS)	-	-	Auth & Access Control
Release Integrity Verifier	Signer	IReleaseIntegrityVerifier.cs	-	-	Attestation & Signing
JSON Canonicalizer (RFC 8785)	Attestor	JsonCanonicalizer.cs	-	-	Determinism & Reproducibility
Predicate Type Router	Attestor	IPredicateTypeRouter.cs, PredicateTypeRouter.cs	-	-	Attestation & Signing
Standard Predicate Registry	Attestor	IStandardPredicateRegistry.cs	-	-	Attestation & Signing
HMAC Signing	Signer	HmacDsseSigner.cs	-	-	Attestation & Signing
SM2 Algorithm Support	Signer	CryptoDsseSigner.cs (SM2 branch)	-	-	Regional Crypto
Promotion Attestation	Provenance	PromotionAttestation.cs	-	-	Release Orchestration
Cosign/KMS Signer	Provenance	CosignAndKmsSigner.cs	-	-	Attestation & Signing
Rotating Signer	Provenance	RotatingSigner.cs	-	-	Attestation & Signing

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Key Rotation	Signer	No	No	Add stella keys rotate CLI command
Trust Anchor Management	Signer	No	No	Add stella trust-anchors commands
Attestation Chain Visualization	Attestor	No	Partial	Add chain visualization UI
Predicate Registry Browser	Attestor	No	No	Add stella attest predicates list
Delta Attestation CLI	Attestor	No	No	Add stella attest delta commands
Signer Audit Logs	Signer	No	No	Add stella sign audit command
Rekor Submission Status	Attestor	No	No	Add submission queue status UI

Matrix Update Recommendations

The FEATURE_MATRIX.md Attestation section lists basic DSSE/in-toto support:

• Listed: Basic attestation attach/verify, SLSA provenance
• Actual: 25+ predicate types, keyless signing, key rotation, attestation chains

Recommended additions:

1. Add "Predicate Types" section (25+ types documented)
2. Add "Keyless Signing (Sigstore)" as major feature
3. Add "Key Rotation Service" for Enterprise tier
4. Add "Trust Anchor Management" for Enterprise tier
5. Add "Attestation Chains" feature
6. Add "Delta Attestations" (VEX/SBOM/Verdict/Reachability)
7. Document "Offline Bundle Service" for air-gap
8. Add "SM2 Algorithm Support" in Regional Crypto section

---

Batch 9: Regional Crypto

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
8 Signature Profiles	Cryptography	SignatureProfile.cs	-	-	Regional Crypto
Ed25519 Baseline Signing	Cryptography	Ed25519Signer.cs, Ed25519Verifier.cs	-	-	Regional Crypto
ECDSA P-256 Profile	Cryptography	EcdsaP256Signer.cs	-	-	Regional Crypto
FIPS 140-2 Plugin	Cryptography	FipsPlugin.cs	-	-	Regional Crypto
GOST R 34.10-2012 Plugin	Cryptography	GostPlugin.cs	-	-	Regional Crypto
SM2/SM3/SM4 Plugin	Cryptography	SmPlugin.cs	-	-	Regional Crypto
eIDAS Plugin (CAdES/XAdES)	Cryptography	EidasPlugin.cs	-	-	Regional Crypto
HSM Plugin (PKCS#11)	Cryptography	HsmPlugin.cs (simulated + production)	-	-	Regional Crypto
CryptoPro GOST (Windows)	Cryptography	CryptoProGostCryptoProvider.cs	-	-	Regional Crypto
Multi-Profile Signing	Cryptography	MultiProfileSigner.cs	-	-	Regional Crypto
SM Remote Service	SmRemote	Program.cs	-	-	Regional Crypto
Post-Quantum Profiles (Defined)	Cryptography	SignatureProfile.cs (Dilithium, Falcon)	-	-	Regional Crypto
RFC 3161 TSA Integration	Cryptography	EidasPlugin.cs	-	-	Regional Crypto
Simulated HSM Client	Cryptography	SimulatedHsmClient.cs	-	-	Regional Crypto
GOST Block Cipher (28147-89)	Cryptography	GostPlugin.cs	-	-	Regional Crypto
SM4 Encryption (CBC/ECB/GCM)	Cryptography	SmPlugin.cs	-	-	Regional Crypto

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Crypto Profile Selection	Cryptography	No	No	Add stella crypto profiles command
Plugin Health Check	Cryptography	No	No	Add plugin status endpoint
Key Management CLI	Cryptography	No	No	Add stella keys commands
HSM Status	Cryptography	No	No	Add HSM health monitoring
Post-Quantum Implementation	Cryptography	No	No	Implement Dilithium/Falcon when stable

Matrix Update Recommendations

The FEATURE_MATRIX.md Regional Crypto section mentions only FIPS/eIDAS/GOST:

• Listed: Basic regional compliance mentions
• Actual: 8 signature profiles, 6 plugins, HSM support, post-quantum readiness

Recommended additions:

1. Add "Signature Profiles" section (8 profiles documented)
2. Add "Plugin Architecture" description
3. Add "Multi-Profile Signing" capability (dual-stack signatures)
4. Add "SM Remote Service" for Chinese market
5. Add "Post-Quantum Readiness" (Dilithium, Falcon defined)
6. Add "HSM Integration" (PKCS#11 + simulation)
7. Document plugin configuration options
8. Add "CryptoPro GOST" for Windows environments

---

Batch 10: Evidence & Findings

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
WORM Storage (S3 Object Lock)	EvidenceLocker	S3EvidenceObjectStore.cs	-	-	Evidence & Findings
Verdict Attestations (DSSE)	EvidenceLocker	VerdictEndpoints.cs, VerdictContracts.cs	-	/evidence-export	Evidence & Findings
Append-Only Ledger Events	Findings	ILedgerEventRepository.cs, LedgerEventModels.cs	-	/findings	Evidence & Findings
Alert Triage Bands (hot/warm/cold)	Findings	DecisionModels.cs	-	/findings	Evidence & Findings
Merkle Anchoring	Findings	Infrastructure/Merkle/	-	-	Evidence & Findings
Evidence Holds (Legal)	EvidenceLocker	EvidenceHold.cs	-	-	Evidence & Findings
Evidence Pack Service	Evidence.Pack	IEvidencePackService.cs, EvidencePack.cs	-	/evidence-thread	Evidence & Findings
Evidence Card Service	Evidence.Pack	IEvidenceCardService.cs, EvidenceCard.cs	-	-	Evidence & Findings
Profile-Based Export	ExportCenter	ExportApiEndpoints.cs, ExportProfile	-	/evidence-export	Evidence & Findings
Risk Bundle Export	ExportCenter	RiskBundleEndpoints.cs	-	/evidence-export	Evidence & Findings
Audit Bundle Export	ExportCenter	AuditBundleEndpoints.cs	-	-	Evidence & Findings
Lineage Evidence Export	ExportCenter	LineageExportEndpoints.cs	-	/lineage	Evidence & Findings
SSE Export Streaming	ExportCenter	Real-time run events	-	-	Evidence & Findings
Incident Mode	Findings	IIncidentModeState.cs	-	-	Evidence & Findings

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Evidence Holds	EvidenceLocker	No	No	Add legal hold management CLI
Audit Bundle Export	ExportCenter	No	Partial	Add stella export audit command
Incident Mode	Findings	No	No	Add stella findings incident commands

---

Batch 11: Determinism & Replay

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
Hybrid Logical Clock	HybridLogicalClock	HybridLogicalClock.cs, HlcTimestamp.cs	-	-	Determinism & Replay
HLC State Persistence	HybridLogicalClock	IHlcStateStore.cs	-	-	Determinism & Replay
Canonical JSON (RFC 8785)	Canonical.Json	CanonJson.cs, CanonVersion.cs	-	-	Determinism & Replay
Replay Manifests V1/V2	Replay.Core	ReplayManifest.cs	stella scan replay	-	Determinism & Replay
Knowledge Snapshots	Replay.Core	KnowledgeSnapshot.cs	-	-	Determinism & Replay
Replay Proofs (DSSE)	Replay.Core	ReplayProof.cs	stella prove	-	Determinism & Replay
Evidence Weighted Scoring (6 factors)	Signals	EvidenceWeightedScoreCalculator.cs	-	-	Scoring & Risk
Score Buckets (ActNow/ScheduleNext/Investigate/Watchlist)	Signals	Scoring algorithm	-	-	Scoring & Risk
Attested Reduction (short-circuit)	Signals	VEX anchoring logic	-	-	Scoring & Risk
Timeline Events	Eventing	TimelineEvent.cs, ITimelineEventEmitter.cs	-	-	Determinism & Replay
Deterministic Event IDs	Eventing	EventIdGenerator.cs (SHA-256)	-	-	Determinism & Replay
Transactional Outbox	Eventing	TimelineOutboxProcessor.cs	-	-	Determinism & Replay
Event Signing (DSSE)	Eventing	IEventSigner.cs	-	-	Determinism & Replay
Replay Bundle Writer	Replay.Core	StellaReplayBundleWriter.cs (tar.zst)	-	-	Determinism & Replay
Dead Letter Replay	Orchestrator	IReplayManager.cs, ReplayManager.cs	-	-	Operations

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
HLC Inspection	HybridLogicalClock	No	No	Add stella hlc status command
Timeline Events	Eventing	No	No	Add stella timeline query command
Scoring Explanation	Signals	No	No	Add stella score explain command

---

Batch 12: Operations

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
Impact Index (Roaring bitmaps)	Scheduler	IImpactIndex.cs	-	-	Operations
Graph Build/Overlay Jobs	Scheduler	IGraphJobService.cs	-	/ops/scheduler	Operations
Run Preview (dry-run)	Scheduler	RunEndpoints.cs	-	-	Operations
SSE Run Streaming	Scheduler	/runs/{runId}/stream	-	-	Operations
Job Repository	Orchestrator	IJobRepository.cs, Job.cs	-	/orchestrator	Operations
Lease Management	Orchestrator	LeaseNextAsync(), ExtendLeaseAsync()	-	-	Operations
Dead Letter Classification	Orchestrator	DeadLetterEntry.cs	-	/orchestrator	Operations
First Signal Service	Orchestrator	IFirstSignalService.cs	-	-	Operations
Task Pack Execution	TaskRunner	ITaskRunnerClient.cs	-	-	Operations
Plan-Hash Binding	TaskRunner	Deterministic validation	-	-	Operations
Approval Gates	TaskRunner	ApprovalDecisionRequest.cs	-	-	Operations
Artifact Capture	TaskRunner	Digest tracking	-	-	Operations
Timeline Query Service	TimelineIndexer	ITimelineQueryService.cs	-	-	Operations
Timeline Ingestion	TimelineIndexer	ITimelineIngestionService.cs	-	-	Operations
Token-Bucket Rate Limiting	Orchestrator	Adaptive refill per tenant	-	-	Operations
Job Watermarks	Orchestrator	Ordering guarantees	-	-	Operations

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Impact Preview	Scheduler	No	Partial	Add stella scheduler preview command
Job Management	Orchestrator	No	Yes	Add stella orchestrator jobs commands
Dead Letter Operations	Orchestrator	No	Yes	Add stella orchestrator deadletter commands
TaskRunner CLI	TaskRunner	No	No	Add stella taskrunner commands
Timeline Query CLI	TimelineIndexer	No	No	Add stella timeline commands

---

Batch 13: Release Orchestration

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
Environment Bundles	ReleaseOrchestrator	IEnvironmentBundleService.cs, EnvironmentBundle.cs	-	/releases	Release Orchestration
Promotion Workflows	ReleaseOrchestrator	IPromotionWorkflowService.cs, PromotionRequest.cs	-	/releases	Release Orchestration
Rollback Service	ReleaseOrchestrator	IRollbackService.cs, RollbackRequest.cs	-	/releases	Release Orchestration
Deployment Agents (Docker/Compose/ECS/Nomad)	ReleaseOrchestrator	IDeploymentAgent.cs, various agent implementations	-	/releases	Release Orchestration
Progressive Delivery (A/B, Canary)	ReleaseOrchestrator	IProgressiveDeliveryService.cs	-	/releases	Release Orchestration
Hook System (Pre/Post Deploy)	ReleaseOrchestrator	IHookExecutionService.cs, Hook.cs	-	/releases	Release Orchestration
Approval Gates (Multi-Stage)	ReleaseOrchestrator	IApprovalGateService.cs, ApprovalGate.cs	-	/releases	Release Orchestration
Release Bundle Signing	ReleaseOrchestrator	IReleaseBundleSigningService.cs	-	-	Release Orchestration
Environment Promotion History	ReleaseOrchestrator	IPromotionHistoryService.cs	-	/releases	Release Orchestration
Deployment Lock Service	ReleaseOrchestrator	IDeploymentLockService.cs	-	-	Release Orchestration
Release Manifest Generation	ReleaseOrchestrator	IReleaseManifestService.cs	-	-	Release Orchestration
Promotion Attestations	ReleaseOrchestrator	PromotionAttestation.cs	-	-	Attestation & Signing
Environment Health Checks	ReleaseOrchestrator	IEnvironmentHealthService.cs	-	/releases	Release Orchestration
Deployment Verification Tests	ReleaseOrchestrator	IVerificationTestService.cs	-	-	Release Orchestration

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Release Bundle Creation	ReleaseOrchestrator	No	Partial	Add stella release create command
Environment Promotion	ReleaseOrchestrator	No	Yes	Add stella release promote command
Rollback Operations	ReleaseOrchestrator	No	Yes	Add stella release rollback command
Hook Management	ReleaseOrchestrator	No	Partial	Add stella release hooks commands
Deployment Agent Status	ReleaseOrchestrator	No	Partial	Add stella agent status command

Matrix Update Recommendations

The FEATURE_MATRIX.md Release Orchestration section is largely planned:

• Listed: Basic environment management concepts
• Actual: Full promotion workflow, deployment agents, progressive delivery

Recommended additions:

1. Add "Deployment Agents" section (Docker, Compose, ECS, Nomad)
2. Add "Progressive Delivery" (A/B, Canary strategies)
3. Add "Approval Gates" (multi-stage approvals)
4. Add "Hook System" (pre/post deployment hooks)
5. Add "Promotion Attestations" (DSSE signing of promotions)
6. Document "Environment Health Checks"

---

Batch 14: Auth & Access Control

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
75+ Authorization Scopes	Authority	AuthorizationScopeConstants.cs	-	/admin/roles	Auth & Access Control
DPoP Sender Constraints	Authority	DPoPService.cs, DPoPValidator.cs	-	-	Auth & Access Control
mTLS Sender Constraints	Authority	MtlsClientCertificateValidator.cs	-	-	Auth & Access Control
Device Authorization Flow	Authority	DeviceAuthorizationEndpoints.cs	-	/login	Auth & Access Control
JWT Profile for OAuth	Authority	JwtBearerClientAssertionValidator.cs	-	-	Auth & Access Control
PAR (Pushed Authorization Requests)	Authority	ParEndpoints.cs	-	-	Auth & Access Control
Tenant Isolation	Authority	ITenantContext.cs, TenantResolutionMiddleware.cs	-	-	Auth & Access Control
Role-Based Access Control	Authority	IRoleService.cs, Role.cs	-	/admin/roles	Auth & Access Control
Permission Grant Service	Authority	IPermissionGrantService.cs	-	-	Auth & Access Control
Token Introspection	Authority	TokenIntrospectionEndpoints.cs	-	-	Auth & Access Control
Token Revocation	Authority	TokenRevocationEndpoints.cs	-	-	Auth & Access Control
OAuth Client Management	Authority	IClientRepository.cs, Client.cs	-	/admin/clients	Auth & Access Control
User Federation (LDAP/SAML)	Authority	IFederationProvider.cs	-	/admin/federation	Auth & Access Control
Session Management	Authority	ISessionStore.cs, Session.cs	-	-	Auth & Access Control
Consent Management	Authority	IConsentStore.cs, Consent.cs	-	/consent	Auth & Access Control
Registry Token Service	Registry	ITokenService.cs, TokenModels.cs	stella registry login	-	Auth & Access Control
Scope-Based Token Minting	Registry	Pull/push/catalog scope handling	-	-	Auth & Access Control
Token Refresh Flow	Authority	Refresh token rotation	-	-	Auth & Access Control
Multi-Factor Authentication	Authority	IMfaService.cs	-	/login/mfa	Auth & Access Control
API Key Management	Authority	IApiKeyService.cs	-	/admin/api-keys	Auth & Access Control

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Scope Management	Authority	No	Yes	Add stella auth scopes commands
DPoP Configuration	Authority	No	No	Add DPoP configuration documentation
Client Management	Authority	No	Yes	Add stella auth clients commands
Role Management	Authority	No	Yes	Add stella auth roles commands
API Key Operations	Authority	No	Yes	Add stella auth api-keys commands
Token Introspection	Authority	No	No	Add stella auth token inspect command

Matrix Update Recommendations

The FEATURE_MATRIX.md Auth section covers basics but misses advanced features:

• Listed: Basic OAuth/OIDC, RBAC
• Actual: 75+ scopes, DPoP/mTLS, federation, advanced OAuth flows

Recommended additions:

1. Add "Authorization Scopes" section (75+ granular scopes)
2. Add "Sender Constraints" (DPoP, mTLS)
3. Add "Device Authorization Flow" for CLI/IoT
4. Add "User Federation" (LDAP, SAML integration)
5. Add "PAR Support" for security-conscious clients
6. Add "Multi-Factor Authentication"
7. Add "API Key Management" for service accounts
8. Document "Tenant Isolation" architecture

---

Batch 15: Notifications & Integrations

Discovered Features (Not in Matrix)

Feature	Module	Key Files	CLI	UI	Suggested Category
10 Notification Channel Types	Notify	Email, Slack, Teams, Webhook, PagerDuty, SNS, SQS, Pub/Sub, Discord, Matrix	-	/notifications	Notifications
Template-Based Notifications	Notify	INotificationTemplateService.cs, NotificationTemplate.cs	-	/notifications	Notifications
Channel Routing Rules	Notify	IChannelRoutingService.cs, RoutingRule.cs	-	/notifications	Notifications
Delivery Receipt Tracking	Notify	IDeliveryReceiptService.cs, DeliveryReceipt.cs	-	-	Notifications
Notification Preferences	Notify	IPreferenceService.cs, UserPreference.cs	-	/settings	Notifications
Digest/Batch Notifications	Notify	IDigestService.cs	-	/notifications	Notifications
Kubernetes Admission Webhooks	Zastava	AdmissionWebhookEndpoints.cs	-	-	Integrations
OCI Registry Push Hooks	Zastava	IWebhookProcessor.cs, RegistryPushEvent.cs	-	-	Integrations
Scan-on-Push Trigger	Zastava	Auto-trigger scanning on registry push	-	-	Integrations
SCM Webhooks (GitHub/GitLab/Bitbucket)	Integrations	IScmWebhookHandler.cs	-	/integrations	Integrations
CI/CD Webhooks	Integrations	Jenkins, CircleCI, GitHub Actions integration	-	/integrations	Integrations
Issue Tracker Integration	Integrations	Jira, GitHub Issues, Linear integration	-	/integrations	Integrations
Slack App Integration	Integrations	ISlackAppService.cs, slash commands	-	/integrations	Integrations
MS Teams App Integration	Integrations	ITeamsAppService.cs, adaptive cards	-	/integrations	Integrations
Notification Studio	Notifier	Template design and preview	-	/notifications/studio	Notifications
Escalation Rules	Notify	IEscalationService.cs	-	/notifications	Notifications
On-Call Schedule Integration	Notify	PagerDuty, OpsGenie integration	-	/notifications	Notifications
Webhook Retry Logic	Notify	Exponential backoff, dead letter	-	-	Notifications
Event-Driven Notifications	Notify	Timeline event subscription	-	-	Notifications
Custom Webhook Payloads	Integrations	IWebhookPayloadFormatter.cs	-	/integrations	Integrations

Coverage Gaps

Feature	Module	Has CLI	Has UI	Recommendation
Channel Configuration	Notify	No	Yes	Add stella notify channels commands
Template Management	Notify	No	Yes	Add stella notify templates commands
Webhook Testing	Integrations	No	Partial	Add stella integrations test command
K8s Webhook Installation	Zastava	No	No	Add stella zastava install command
Notification Preferences	Notify	No	Yes	Add stella notify preferences commands

Matrix Update Recommendations

The FEATURE_MATRIX.md Notifications section is basic:

• Listed: Basic webhook/email notifications
• Actual: 10 channel types, template engine, routing rules, escalation

Recommended additions:

1. Add "Notification Channels" section (10 types)
2. Add "Template Engine" for customizable messages
3. Add "Channel Routing" for sophisticated delivery
4. Add "Escalation Rules" for incident response
5. Add "Notification Studio" for template design
6. Add "Kubernetes Admission Webhooks" (Zastava)
7. Add "SCM Integrations" (GitHub, GitLab, Bitbucket)
8. Add "CI/CD Integrations" (Jenkins, CircleCI, GitHub Actions)
9. Add "Issue Tracker Integration" (Jira, GitHub Issues)
10. Document "Scan-on-Push" auto-trigger

---

Summary: Overall Matrix Gaps

Major Documentation Gaps Identified

Category	Matrix Coverage	Actual Coverage	Gap Severity
Advisory Sources	11 sources	33+ connectors	CRITICAL
VEX Processing	Basic	Full consensus engine	HIGH
Attestation & Signing	Basic	25+ predicates	HIGH
Auth Scopes	Basic RBAC	75+ granular scopes	HIGH
Policy Engine	Basic	K4 lattice, 10+ gates	MEDIUM
Regional Crypto	3 profiles	8 profiles, 6 plugins	MEDIUM
Notifications	2 channels	10 channels	MEDIUM
Binary Analysis	Basic	4 fingerprint algorithms	MEDIUM
Release Orchestration	Planned	Partially implemented	LOW

CLI/UI Coverage Statistics

Metric	Value
Features with CLI	~65%
Features with UI	~70%
Features with both	~55%
Internal-only features	~25%

Recommended Next Steps

1. Immediate: Update Advisory Sources section (33+ connectors undocumented)
2. High Priority: Document VEX consensus engine capabilities
3. High Priority: Document attestation predicate types
4. Medium Priority: Update auth scopes documentation
5. Medium Priority: Complete policy engine documentation
6. Low Priority: Document internal operations features