stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7cfb683a52ea19cb49686d6e2e95380513708909
git.stella-ops.org/docs/FEATURE_MATRIX_COMPLETE.md
master 15aeac8e8b new advisories work and features gaps work
2026-01-14 18:39:19 +02:00

939 lines
49 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Complete Feature Matrix - Stella Ops Suite
*(Auto-generated with code mapping)*
> This document extends `FEATURE_MATRIX.md` with module/file mappings and CLI/UI coverage verification.
---
## SBOM & Ingestion
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Trivy-JSON Ingestion | Free/Pro/Ent | Concelier | `TrivyDbExporterPlugin.cs`, `TrivyDbBoltBuilder.cs` | - | `/concelier/trivy-db-settings` | Implemented |
| SPDX-JSON 3.0.1 Ingestion | Free/Pro/Ent | Concelier, Scanner | `SbomParser.cs`, `SpdxJsonLdSerializer.cs` | `stella sbom list --format spdx` | `/sbom-sources` | Implemented |
| CycloneDX 1.7 Ingestion | Free/Pro/Ent | Concelier, Scanner | `SbomParser.cs`, `CycloneDxComposer.cs` | `stella sbom list --format cyclonedx` | `/sbom-sources` | Implemented |
| Auto-format Detection | Free/Pro/Ent | Concelier | `ISbomParser.cs`, `SbomParser.cs` (DetectFormatAsync) | Implicit in `stella sbom` | Implicit | Implemented |
| Delta-SBOM Cache | Free/Pro/Ent | SbomService | `VexDeltaRepository.cs`, `InMemoryLineageCompareCache.cs`, `ValkeyLineageCompareCache.cs` | - | - | Implemented |
| SBOM Generation (all formats) | Free/Pro/Ent | Scanner | `SpdxComposer.cs`, `CycloneDxComposer.cs`, `SpdxLayerWriter.cs`, `CycloneDxLayerWriter.cs` | `stella scan run` | `/findings` (scan results) | Implemented |
| Semantic SBOM Diff | Free/Pro/Ent | Scanner, SbomService | `SbomDiff.cs`, `SbomDiffEngine.cs`, `LineageCompareService.cs` | - | `/lineage` | Implemented |
| BYOS (Bring-Your-Own-SBOM) | Free/Pro/Ent | Scanner | `SbomByosUploadService.cs`, `SbomUploadStore.cs`, `SbomUploadEndpoints.cs` | `stella sbom upload` (pending) | `/sbom-sources` | Implemented |
| SBOM Lineage Ledger | Enterprise | SbomService | `SbomLineageEdgeRepository.cs`, `SbomLedgerModels.cs`, `SbomServiceDbContext.cs` | - | `/lineage` | Implemented |
| SBOM Lineage API | Enterprise | SbomService, Graph | `ILineageGraphService.cs`, `SbomLineageGraphService.cs`, `LineageExportService.cs`, `LineageController.cs` | - | `/lineage` | Implemented |
### CLI Commands (SBOM)
| Command | Description | Status |
|---------|-------------|--------|
| `stella sbom list` | List SBOMs with filters (--image, --digest, --format, --created-after/before) | Implemented |
| `stella sbom show <id>` | Display SBOM details | Implemented |
| `stella sbom upload` | Upload external SBOM (BYOS) | Pending verification |
| `stella sbomer layer list` | List layer fragments for a scan | Implemented |
| `stella sbomer compose` | Compose layer SBOMs | Implemented |
| `stella sbomer verify` | Verify Merkle tree integrity | Implemented |
### UI Routes (SBOM)
| Route | Feature | Status |
|-------|---------|--------|
| `/sbom-sources` | SBOM ingestion source management | Implemented |
| `/lineage` | SBOM lineage graph and smart diff | Implemented |
| `/graph` | Interactive SBOM dependency visualization | Implemented |
| `/concelier/trivy-db-settings` | Trivy vulnerability database configuration | Implemented |
### Coverage Gaps (SBOM)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Delta-SBOM Cache | No | No | Internal optimization, no direct exposure needed |
| Auto-format Detection | Implicit | Implicit | Works automatically, no explicit command |
| SBOM Lineage Ledger | No | Yes | CLI access would be useful for automation |
| SBOM Lineage API | No | Yes | CLI access would be useful for automation |
---
## Scanning & Detection
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| CVE Lookup via Local DB | Free/Pro/Ent | Scanner | `VulnSurfaceService.cs`, `AdvisoryClient.cs` | `stella scan run` | `/findings` | Implemented |
| License-Risk Detection | All (Planned) | Scanner | Package manifest extraction only | - | - | Planned (Q4-2025) |
| **.NET/C# Analyzer** | Free/Pro/Ent | Scanner | `DotNetLanguageAnalyzer.cs`, `DotNetDependencyCollector.cs`, `MsBuildProjectParser.cs` | `stella scan run` | `/findings` | Implemented |
| **Java Analyzer** | Free/Pro/Ent | Scanner | `JavaLanguageAnalyzer.cs`, `JavaWorkspaceNormalizer.cs` | `stella scan run` | `/findings` | Implemented |
| **Go Analyzer** | Free/Pro/Ent | Scanner | `GoLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **Python Analyzer** | Free/Pro/Ent | Scanner | `PythonLanguageAnalyzer.cs`, `PythonEnvironmentDetector.cs`, `ContainerLayerAdapter.cs` | `stella scan run` | `/findings` | Implemented |
| **Node.js Analyzer** | Free/Pro/Ent | Scanner | `NodeLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **Ruby Analyzer** | Free/Pro/Ent | Scanner | `RubyLanguageAnalyzer.cs`, `RubyVendorArtifactCollector.cs` | `stella ruby inspect` | `/findings` | Implemented |
| **Bun Analyzer** | Free/Pro/Ent | Scanner | `BunLanguageAnalyzer.cs` | `stella bun inspect` | `/findings` | Implemented |
| **Deno Analyzer** | Free/Pro/Ent | Scanner | `DenoLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **PHP Analyzer** | Free/Pro/Ent | Scanner | `PhpLanguageAnalyzer.cs` | `stella php inspect` | `/findings` | Implemented |
| **Rust Analyzer** | Free/Pro/Ent | Scanner | `RustLanguageAnalyzer.cs` | `stella scan run` | `/findings` | Implemented |
| **Native Binary Analyzer** | Free/Pro/Ent | Scanner | `NativeAnalyzer.cs` | `stella binary` | `/analyze/patch-map` | Implemented |
| Quick Mode | Free/Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs`, `FidelityAwareAnalyzer.cs` | `stella scan run --fidelity quick` | `/ops/scanner` | Implemented |
| Standard Mode | Free/Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs` | `stella scan run --fidelity standard` | `/ops/scanner` | Implemented |
| Deep Mode | Pro/Ent | Scanner | `FidelityLevel.cs`, `FidelityConfiguration.cs` | `stella scan run --fidelity deep` | `/ops/scanner` | Implemented |
| Base Image Detection | Free/Pro/Ent | Scanner | `OciImageInspector.cs`, `OciImageConfig.cs` | `stella image inspect` | `/findings` | Implemented |
| Layer-Aware Analysis | Free/Pro/Ent | Scanner | `LayeredRootFileSystem.cs`, `ContainerLayerAdapter.cs` | `stella scan layer-sbom` | `/findings` | Implemented |
| Concurrent Scan Workers | 1/3/Unlimited | Scanner | `IScanQueue.cs`, `NatsScanQueue.cs`, `ScanJobProcessor.cs` | - | `/ops/scanner` | Implemented |
### CLI Commands (Scanning)
| Command | Description | Status |
|---------|-------------|--------|
| `stella scan run` | Execute scanner with --runner, --entry, --target | Implemented |
| `stella scan upload` | Upload completed scan results | Implemented |
| `stella scan entrytrace` | Show entry trace summary for a scan | Implemented |
| `stella scan sarif` | Export scan results in SARIF 2.1.0 format | Implemented |
| `stella scan replay` | Replay scan with deterministic hashes | Implemented |
| `stella scan gate-policy` | VEX gate evaluation | Implemented |
| `stella scan layers` | Container layer operations | Implemented |
| `stella scan layer-sbom` | Layer SBOM composition | Implemented |
| `stella scan diff` | Binary diff analysis | Implemented |
| `stella image inspect` | Inspect OCI image manifest and layers | Implemented |
| `stella ruby inspect` | Inspect Ruby workspace | Implemented |
| `stella php inspect` | Inspect PHP workspace | Implemented |
| `stella python inspect` | Inspect Python workspace/venv | Implemented |
| `stella bun inspect` | Inspect Bun workspace | Implemented |
| `stella scanner download` | Download latest scanner bundle | Implemented |
### UI Routes (Scanning)
| Route | Feature | Status |
|-------|---------|--------|
| `/findings` | Vulnerability findings with diff-first view | Implemented |
| `/findings/:scanId` | Scan-specific findings | Implemented |
| `/scans/:scanId` | Individual scan result inspection | Implemented |
| `/vulnerabilities` | CVE/vulnerability database explorer | Implemented |
| `/vulnerabilities/:vulnId` | Vulnerability detail view | Implemented |
| `/ops/scanner` | Scanner offline kits, baselines, determinism settings | Implemented |
| `/analyze/patch-map` | Fleet-wide binary patch coverage heatmap | Implemented |
### Coverage Gaps (Scanning)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| License-Risk Detection | No | No | Planned feature, not yet implemented |
| Concurrent Worker Config | No | Yes | Worker count configured via ops UI/environment |
---
## Reachability Analysis
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Static Call Graph | Free/Pro/Ent | Scanner, ReachGraph | `ReachabilityAnalyzer.cs`, `ReachGraphEdge.cs` | `stella reachgraph slice` | `/reachability` | Implemented |
| Entrypoint Detection (9+ types) | Free/Pro/Ent | Scanner | `JavaEntrypointClassifier.cs`, `EntryTraceResponse.cs` | `stella scan entrytrace` | `/reachability` | Implemented |
| BFS Reachability | Free/Pro/Ent | Scanner | `ReachabilityAnalyzer.cs` (BFS traversal, max depth 256) | `stella reachgraph slice --depth` | `/reachability` | Implemented |
| Reachability Drift Detection | Free/Pro/Ent | Reachability.Core | `ReachabilityLattice.cs` (8-state machine) | `stella drift` | `/reachability` | Implemented |
| Binary Loader Resolution | Pro/Ent | Scanner | `GuardDetector.cs` (PLT/IAT), Binary entrypoint classifiers | `stella binary` | `/analyze/patch-map` | Implemented |
| Feature Flag/Config Gating | Pro/Ent | Scanner | `GuardDetector.cs` (env guards, platform checks, feature flags) | - | `/reachability` | Implemented |
| Runtime Signal Correlation | Enterprise | Signals | `EvidenceWeightedScoreCalculator.cs`, `ISignalsAdapter.cs` | - | `/reachability` | Implemented |
| Gate Detection (auth/admin) | Enterprise | Scanner | `GuardDetector.cs` (20+ patterns across 5+ languages) | - | `/reachability` | Implemented |
| Path Witness Generation | Enterprise | Scanner, ReachGraph | `ReachabilityAnalyzer.cs` (deterministic path ordering) | `stella witness` | - | Implemented |
| Reachability Mini-Map API | Enterprise | ReachGraph | `ReachGraphStoreService.cs`, `ReachGraphContracts.cs` | `stella reachgraph slice` | `/reachability` | Implemented |
| Runtime Timeline API | Enterprise | Signals | `ISignalsAdapter.cs`, Evidence window configuration | - | `/reachability` | Implemented |
### CLI Commands (Reachability)
| Command | Description | Status |
|---------|-------------|--------|
| `stella reachgraph slice` | Query slice of reachability graph (--cve, --purl, --entrypoint, --depth) | Implemented |
| `stella reachgraph replay` | Replay reachability analysis for verification | Implemented |
| `stella reachgraph verify` | Verify graph integrity | Implemented |
| `stella reachability show` | Display reachability subgraph (table, json, dot, mermaid) | Implemented |
| `stella reachability export` | Export reachability data | Implemented |
| `stella scan entrytrace` | Show entry trace summary with semantic analysis | Implemented |
| `stella witness` | Path witness operations | Implemented |
| `stella drift` | Reachability drift detection | Implemented |
### UI Routes (Reachability)
| Route | Feature | Status |
|-------|---------|--------|
| `/reachability` | Reachability center - analysis and coverage | Implemented |
| `/graph` | Interactive dependency graph with reachability overlay | Implemented |
### Key Implementation Details
**Reachability Lattice (8 States):**
1. Unknown (0.00-0.29 confidence)
2. StaticReachable (0.30-0.49)
3. StaticUnreachable (0.50-0.69)
4. RuntimeObserved (0.70-0.89)
5. RuntimeUnobserved (0.70-0.89)
6. ConfirmedReachable (0.90-1.00)
7. ConfirmedUnreachable (0.90-1.00)
8. Contested (static/runtime conflict)
**Entrypoint Framework Types Detected:**
- HTTP Handlers (Spring MVC, JAX-RS, Micronaut, GraphQL)
- Message Handlers (Kafka, RabbitMQ, JMS)
- Scheduled Jobs (Spring @Scheduled, Micronaut, JAX-EJB)
- gRPC Methods (Spring Boot gRPC, Netty gRPC)
- Event Handlers (Spring @EventListener)
- CLI Commands (main() method)
- Servlet Handlers (HttpServlet subclass)
### Coverage Gaps (Reachability)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Runtime Signal Correlation | No | Yes | Consider CLI for signal inspection |
| Gate Detection | No | Yes | Guard conditions visible in reachability UI |
| Path Witness Generation | Yes | No | Consider UI visualization of witness paths |
---
## Binary Analysis (BinaryIndex)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Binary Identity Extraction | Free/Pro/Ent | BinaryIndex | `BinaryIdentity.cs`, `IBinaryFeatureExtractor.cs` | `stella binary inspect` | `/analyze/patch-map` | Implemented |
| Build-ID Vulnerability Lookup | Free/Pro/Ent | BinaryIndex | `IBinaryVulnerabilityService.cs`, `ResolutionController.cs` | `stella binary lookup` | `/analyze/patch-map` | Implemented |
| Debian/Ubuntu Corpus | Free/Pro/Ent | BinaryIndex | `DebianCorpusConnector.cs`, `CorpusIngestionService.cs` | - | - | Implemented |
| RPM/RHEL Corpus | Pro/Ent | BinaryIndex | `RpmCorpusConnector.cs` | - | - | Implemented |
| Patch-Aware Backport Detection | Pro/Ent | BinaryIndex | `IFixIndexBuilder.cs`, `FixEvidence.cs`, `DebianChangelogParser.cs` | `stella patch-verify` | - | Implemented |
| PE/Mach-O/ELF Parsers | Pro/Ent | BinaryIndex | Binary format detection in `BinaryIdentity.cs` | `stella binary inspect` | - | Implemented |
| Binary Fingerprint Generation | Enterprise | BinaryIndex | `IVulnFingerprintGenerator.cs`, `BasicBlockFingerprintGenerator.cs`, `ControlFlowGraphFingerprintGenerator.cs`, `StringRefsFingerprintGenerator.cs` | `stella binary fingerprint` | - | Implemented |
| Fingerprint Matching Engine | Enterprise | BinaryIndex | `IFingerprintMatcher.cs`, `FingerprintMatcher.cs` | `stella binary lookup --fingerprint` | - | Implemented |
| DWARF/Symbol Analysis | Enterprise | BinaryIndex | Symbol extraction in corpus functions | `stella binary symbols` | - | Implemented |
### CLI Commands (Binary)
| Command | Description | Status |
|---------|-------------|--------|
| `stella binary inspect` | Inspect binary identity (Build-ID, hashes, architecture) | Implemented |
| `stella binary lookup` | Lookup vulnerabilities by binary identity/fingerprint | Implemented |
| `stella binary symbols` | Extract symbols from binary | Implemented |
| `stella binary fingerprint` | Generate fingerprints for binary functions | Implemented |
| `stella binary verify` | Verify binary match evidence | Implemented |
| `stella binary submit` | Submit binary for analysis | Implemented |
| `stella binary info` | Get binary analysis info | Implemented |
| `stella binary callgraph` | Extract call graph digest | Implemented |
| `stella scan diff` | Binary diff analysis | Implemented |
| `stella patch-verify` | Patch verification for backport detection | Implemented |
| `stella patch-attest` | Patch attestation operations | Implemented |
| `stella deltasig` | Delta signature operations | Implemented |
### UI Routes (Binary)
| Route | Feature | Status |
|-------|---------|--------|
| `/analyze/patch-map` | Fleet-wide binary patch coverage heatmap | Implemented |
### Key Implementation Details
**Fingerprint Algorithms (4 types):**
1. **BasicBlock** - Instruction-level basic block hashing (16 bytes)
2. **ControlFlowGraph** - Weisfeiler-Lehman graph hash (32 bytes)
3. **StringRefs** - String reference pattern hash (16 bytes)
4. **Combined** - Multi-algorithm ensemble
**Fix Detection Methods:**
1. SecurityFeed - Official OVAL, DSA feeds
2. Changelog - Debian/Ubuntu changelog parsing
3. PatchHeader - DEP-3 patch header extraction
4. UpstreamPatchMatch - Upstream patch database
**Supported Distributions:**
- Debian, Ubuntu (DebianCorpusConnector)
- RHEL, Fedora, CentOS, Rocky, AlmaLinux (RpmCorpusConnector)
- Alpine Linux (AlpineCorpusConnector)
### Coverage Gaps (Binary)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Debian/Ubuntu Corpus | No | No | Internal corpus management - admin only |
| RPM/RHEL Corpus | No | No | Internal corpus management - admin only |
| Fingerprint Generation | Yes | No | Consider UI for fingerprint visualization |
| Corpus Ingestion | No | No | Admin operation - consider ops UI |
---
## Advisory Sources (Concelier)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| NVD | Free/Pro/Ent | Concelier | `NvdConnector.cs`, `NvdMapper.cs` | `stella db fetch nvd` | `/concelier` | Implemented |
| GHSA | Free/Pro/Ent | Concelier | `GhsaConnector.cs` (GraphQL, rate limits) | `stella db fetch ghsa` | `/concelier` | Implemented |
| OSV | Free/Pro/Ent | Concelier | `OsvConnector.cs` (multi-ecosystem) | `stella db fetch osv` | `/concelier` | Implemented |
| Alpine SecDB | Free/Pro/Ent | Concelier | `Connector.Distro.Alpine/` | `stella db fetch alpine` | `/concelier` | Implemented |
| Debian Security Tracker | Free/Pro/Ent | Concelier | `Connector.Distro.Debian/` (DSA, EVR) | `stella db fetch debian` | `/concelier` | Implemented |
| Ubuntu USN | Free/Pro/Ent | Concelier | `Connector.Distro.Ubuntu/` | `stella db fetch ubuntu` | `/concelier` | Implemented |
| RHEL/CentOS OVAL | Pro/Ent | Concelier | `Connector.Distro.RedHat/` (OVAL, NEVRA) | `stella db fetch redhat` | `/concelier` | Implemented |
| KEV (Exploited Vulns) | Free/Pro/Ent | Concelier | `KevConnector.cs` (CISA catalog) | `stella db fetch kev` | `/concelier` | Implemented |
| EPSS v4 | Free/Pro/Ent | Concelier | `Connector.Epss/` | `stella db fetch epss` | `/concelier` | Implemented |
| Custom Advisory Connectors | Enterprise | Concelier | `IFeedConnector` interface | - | `/admin` | Implemented |
| Advisory Merge Engine | Enterprise | Concelier | `AdvisoryPrecedenceMerger.cs`, `AffectedPackagePrecedenceResolver.cs` | `stella db merge` | - | Implemented |
### CLI Commands (Advisory)
| Command | Description | Status |
|---------|-------------|--------|
| `stella db fetch` | Trigger connector fetch/parse/map | Implemented |
| `stella db merge` | Run canonical merge reconciliation | Implemented |
| `stella db export` | Run Concelier export jobs | Implemented |
| `stella sources ingest` | Validate source documents | Implemented |
| `stella feeds snapshot` | Create/list/export/import feed snapshots | Implemented |
| `stella advisory` | Advisory listing and search | Implemented |
| `stella admin feeds` | Feed management (admin) | Implemented |
### UI Routes (Advisory)
| Route | Feature | Status |
|-------|---------|--------|
| `/concelier/trivy-db-settings` | Trivy vulnerability database configuration | Implemented |
| `/ops/feeds` | Feed mirror dashboard and air-gap bundles | Implemented |
### Key Implementation Details
**Source Precedence (Lower = Higher Priority):**
- **Rank 0:** redhat, ubuntu, debian, suse, alpine (distro PSIRTs)
- **Rank 1:** msrc, oracle, adobe, apple, cisco, vmware (vendor PSIRTs)
- **Rank 2:** ghsa, osv (ecosystem registries)
- **Rank 3:** jvn, acsc, cccs, cert-fr, cert-in, certbund, ru-bdu, kisa (regional CERTs)
- **Rank 4:** kev (exploit annotations)
- **Rank 5:** nvd (baseline)
**Version Comparators:**
- NEVRA (RPM): epoch:version-release with rpmvercmp
- EVR (Debian/Ubuntu): epoch:upstream_version-debian_revision
- APK (Alpine): `-r<pkgrel>` with suffix ordering
### Coverage Gaps (Advisory)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Advisory Merge Engine | Yes | No | Consider merge status UI |
| Custom Connectors | No | No | Enterprise feature - needs admin UI |
| Feed Scheduling | No | Partial | Consider `stella feeds schedule` command |
---
## VEX Processing (Excititor, VexLens, VexHub, IssuerDirectory)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| OpenVEX Format Support | Free/Pro/Ent | Excititor | `Formats.OpenVEX/`, `OpenVexParser.cs` | `stella vex` | `/vex` | Implemented |
| CycloneDX VEX Format | Free/Pro/Ent | Excititor | `Formats.CycloneDX/` | `stella vex` | `/vex` | Implemented |
| CSAF Format Support | Free/Pro/Ent | Excititor | `Formats.CSAF/` | `stella vex` | `/vex` | Implemented |
| VEX Ingestion API | Free/Pro/Ent | Excititor | `IngestEndpoints.cs`, `IVexObservationQueryService.cs` | - | `/vex` | Implemented |
| VEX Observation Store | Free/Pro/Ent | Excititor | `VexObservationQueryService.cs`, AOC-compliant storage | - | - | Implemented |
| VEX Consensus Engine | Pro/Ent | VexLens | `VexConsensusEngine.cs`, `IVexConsensusEngine.cs` | `stella vex consensus` | `/vex` | Implemented |
| Trust Weight Scoring | Pro/Ent | VexLens | `ITrustWeightEngine.cs`, `TrustDecayService.cs` | - | `/vex` | Implemented |
| Issuer Trust Registry | Pro/Ent | IssuerDirectory | Full issuer CRUD and key management | - | `/issuer-directory` | Implemented |
| VEX Distribution Hub | Enterprise | VexHub | `IVexIngestionService.cs`, `IVexExportService.cs` | - | - | Implemented |
| VEX Gate Integration | Pro/Ent | Scanner | `IVexGateService.cs`, `VexGateScanCommandGroup.cs` | `stella scan gate-policy` | `/findings` | Implemented |
| VEX from Drift Generation | Pro/Ent | CLI | `VexGenCommandGroup.cs` | `stella vex gen --from-drift` | - | Implemented |
| Conflict Detection | Pro/Ent | VexLens, Excititor | `VexLinksetDisagreementService.cs`, `NoiseGateService.cs` | - | `/vex` | Implemented |
### CSAF Provider Connectors
| Connector | Module | Key Files | CLI | Status |
|-----------|--------|-----------|-----|--------|
| Red Hat CSAF | Excititor | `Connectors.RedHat.CSAF/` | - | Implemented |
| Ubuntu CSAF | Excititor | `Connectors.Ubuntu.CSAF/` | - | Implemented |
| Oracle CSAF | Excititor | `Connectors.Oracle.CSAF/` | - | Implemented |
| Microsoft MSRC CSAF | Excititor | `Connectors.MSRC.CSAF/` | - | Implemented |
| Cisco CSAF | Excititor | `Connectors.Cisco.CSAF/` | - | Implemented |
| SUSE RancherVEXHub | Excititor | `Connectors.SUSE.RancherVEXHub/` | - | Implemented |
| OCI OpenVEX Attestation | Excititor | `Connectors.OCI.OpenVEX.Attest/` | - | Implemented |
### CLI Commands (VEX)
| Command | Description | Status |
|---------|-------------|--------|
| `stella vex consensus` | Query VexLens consensus (--query, --output json/ndjson/table) | Implemented |
| `stella vex get` | Fetch single consensus record with rationale | Implemented |
| `stella vex simulate` | Test VEX policy decisions (aggregation-only) | Implemented |
| `stella vex gen --from-drift` | Generate VEX from container drift analysis | Implemented |
| `stella scan gate-policy` | VEX gate evaluation for findings | Implemented |
### UI Routes (VEX)
| Route | Feature | Status |
|-------|---------|--------|
| `/vex` | VEX consensus and statement browser | Implemented |
| `/issuer-directory` | Issuer trust registry management | Implemented |
| `/findings` (VEX overlay) | VEX status overlay on findings | Implemented |
### Key Implementation Details
**Consensus Lattice States:**
- `unknown` (0.00) - No information
- `under_investigation` (0.25) - Being analyzed
- `not_affected` (0.50) - Confirmed not vulnerable
- `affected` (0.75) - Confirmed vulnerable
- `fixed` (1.00) - Patch applied
**Trust Weight Factors (9 total):**
1. Issuer tier (critical/high/medium/low)
2. Confidence score (0-1)
3. Cryptographic attestation status
4. Statement age (freshness decay)
5. Patch applicability
6. Source authority scope (PURL patterns)
7. Key lifecycle status
8. Justification quality
9. Historical accuracy
**AOC (Aggregation-Only Contract):**
- Raw VEX stored verbatim with provenance
- No derived data at ingest time
- Linkset-only references
- Roslyn analyzers enforce compliance
**Determinism Guarantees:**
- RFC 8785 canonical JSON serialization
- Stable ordering (timestamp DESC, source ASC, hash ASC)
- UTC ISO-8601 timestamps
- SHA-256 consensus digests
### Coverage Gaps (VEX)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| CSAF Provider Connectors | No | No | Internal connector management |
| Trust Weight Configuration | No | Partial | Consider CLI for trust weight tuning |
| VEX Distribution Webhooks | No | No | VexHub webhook config needs exposure |
| Conflict Resolution UI | No | Partial | Interactive conflict resolution would help |
---
## Policy Engine (Policy, RiskEngine)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| K4 Lattice Logic | Pro/Ent | Policy | `K4Lattice.cs`, `TrustLatticeEngine.cs` | - | `/policy` | Implemented |
| Policy Gate Evaluation | Free/Pro/Ent | Policy | `PolicyGateEvaluator.cs`, `IPolicyGate.cs` | `stella policy simulate` | `/policy` | Implemented |
| Evidence Gate | Free/Pro/Ent | Policy | `EvidenceGate.cs` | - | `/policy` | Implemented |
| VEX Trust Gate | Pro/Ent | Policy | `VexTrustGate.cs`, `VexProofSpineService.cs` | - | `/policy` | Implemented |
| Confidence Gate | Pro/Ent | Policy | `MinimumConfidenceGate.cs` | - | `/policy` | Implemented |
| Exception Management | Pro/Ent | Policy | `IExceptionService.cs`, `ExceptionAdapter.cs` | - | `/policy/exceptions` | Implemented |
| Risk Scoring (6 providers) | Pro/Ent | RiskEngine | `IRiskScoreProvider.cs`, `CvssKevProvider.cs` | - | `/risk` | Implemented |
| Verdict Attestations | Enterprise | Policy | `IVerdictAttestationService.cs`, `IPolicyDecisionAttestationService.cs` | - | - | Implemented |
| Policy Simulation | Pro/Ent | Policy | `IPolicySimulationService.cs` | `stella policy simulate` | `/policy/simulate` | Implemented |
| Sealed Mode (Air-Gap) | Enterprise | Policy | `ISealedModeService.cs` | - | `/ops` | Implemented |
| Determinization System | Pro/Ent | Policy | `UncertaintyScoreCalculator.cs`, `DecayedConfidenceCalculator.cs` | - | - | Implemented |
| Score Policy (YAML) | Pro/Ent | Policy | `ScorePolicyService.cs`, `ScorePolicyModels.cs` | `stella policy validate` | `/policy` | Implemented |
### K4 Lattice (Belnap Four-Valued Logic)
| State | Symbol | Description |
|-------|--------|-------------|
| Unknown | ⊥ | No evidence available |
| True | T | Evidence supports true |
| False | F | Evidence supports false |
| Conflict | | Credible evidence for both (contested) |
**Operations:**
- `Join(a, b)` - Knowledge union (monotone aggregation)
- `Meet(a, b)` - Knowledge intersection (dependency chains)
- `Negate(v)` - Swaps True ↔ False
- `FromSupport(hasTrueSupport, hasFalseSupport)` - Constructs K4 from claims
### Policy Gate Types (10+)
| Gate | Purpose |
|------|---------|
| Evidence Gate | Validates sufficient evidence backing |
| Lattice State Gate | K4 states (U, SR, SU, RO, RU, CR, CU, X) |
| VEX Trust Gate | Confidence-based VEX scoring |
| Uncertainty Tier Gate | T1-T4 uncertainty classification |
| Minimum Confidence Gate | Enforces confidence floors |
| Evidence Freshness Gate | Staleness checks |
| VEX Proof Gate | Validates VEX proof chains |
| Reachability Requirement Gate | Reachability evidence |
| Facet Quota Gate | Facet-based quotas |
| Source Quota Gate | Source credibility quotas |
| Unknowns Budget Gate | Limits unknown assertions |
### Risk Score Providers (6)
| Provider | Key Files | Purpose |
|----------|-----------|---------|
| CVSS/KEV | `CvssKevProvider.cs` | CVSS + Known Exploited Vulns |
| EPSS | `EpssProvider.cs` | Exploit Prediction Scoring |
| FixChain | `FixChainRiskProvider.cs` | Fix availability and timeline |
| FixExposure | `FixExposureProvider.cs` | Patch adoption curves |
| VexGate | `VexGateProvider.cs` | VEX decisions as risk gates |
| DefaultTransforms | `DefaultTransformsProvider.cs` | Signal normalization |
### Determinization Signal Weights
| Signal | Weight |
|--------|--------|
| VEX | 35% |
| Reachability | 25% |
| Runtime | 15% |
| EPSS | 10% |
| Backport | 10% |
| SBOM Lineage | 5% |
### Score Policy Weights (Basis Points)
| Dimension | Default Weight |
|-----------|---------------|
| Base Severity | 10% (1000 BPS) |
| Reachability | 45% (4500 BPS) |
| Evidence | 30% (3000 BPS) |
| Provenance | 15% (1500 BPS) |
### CLI Commands (Policy)
| Command | Description | Status |
|---------|-------------|--------|
| `stella policy validate <path>` | Validate policy YAML (--schema, --strict) | Implemented |
| `stella policy install <pack>` | Install policy pack (--version, --env) | Implemented |
| `stella policy list` | List installed policies | Implemented |
| `stella policy simulate` | Simulate policy decisions | Implemented |
### UI Routes (Policy)
| Route | Feature | Status |
|-------|---------|--------|
| `/policy` | Policy management and evaluation | Implemented |
| `/policy/exceptions` | Exception management | Implemented |
| `/policy/simulate` | Policy simulation runner | Implemented |
| `/risk` | Risk scoring dashboard | Implemented |
### API Endpoints (45+)
**Core:**
- `/policy/eval/batch` - Batch evaluation
- `/policy/packs` - Policy pack management
- `/policy/runs` - Run lifecycle
- `/policy/decisions` - Decision queries
**Simulation:**
- `/policy/simulate` - Policy simulation
- `/policy/merge-preview` - Merge preview
- `/overlay-simulation` - Overlay projection
**Governance:**
- `/api/v1/policy/registry/packs` - Pack registry
- `/api/v1/policy/registry/promote` - Promotion workflows
- `/api/v1/policy/registry/publish` - Publishing pipelines
### Coverage Gaps (Policy)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| K4 Lattice Debug | No | Partial | Consider `stella policy lattice explain` |
| Risk Provider Config | No | No | Provider-level configuration needs exposure |
| Exception Approval API | No | Yes | Consider `stella policy exception approve` |
| Determinization Tuning | No | No | Signal weights should be configurable |
---
## Attestation & Signing (Attestor, Signer, Provenance)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| DSSE Envelope Handling | Free/Pro/Ent | Attestor | `DsseHelper.cs`, `DsseEnvelope.cs`, `DsseVerifier.cs` | `stella attest` | `/attestations` | Implemented |
| In-Toto Statement Format | Free/Pro/Ent | Attestor | `InTotoStatement.cs`, `IInTotoLinkSigningService.cs` | `stella attest attach` | - | Implemented |
| SPDX SBOM Predicates | Free/Pro/Ent | Attestor | `SpdxPredicateParser.cs` | `stella attest attach` | - | Implemented |
| CycloneDX SBOM Predicates | Free/Pro/Ent | Attestor | `CycloneDxPredicateParser.cs` | `stella attest attach` | - | Implemented |
| SLSA Provenance Predicates | Pro/Ent | Attestor | `SlsaProvenancePredicateParser.cs` | `stella attest attach` | - | Implemented |
| Keyless Signing (Fulcio) | Pro/Ent | Signer | `KeylessDsseSigner.cs`, `HttpFulcioClient.cs` | `stella sign keyless` | - | Implemented |
| Rekor Transparency Log | Pro/Ent | Signer, Attestor | `RekorHttpClient.cs`, `IRekorClient.cs` | `stella sign keyless --rekor` | - | Implemented |
| Key Rotation Service | Enterprise | Signer | `IKeyRotationService.cs`, `KeyRotationService.cs` | `/keys/rotate` endpoint | - | Implemented |
| Trust Anchor Management | Enterprise | Signer | `ITrustAnchorManager.cs`, `TrustAnchorManager.cs` | - | - | Implemented |
| Attestation Chains | Enterprise | Attestor | `AttestationChain.cs`, `AttestationChainBuilder.cs` | - | - | Implemented |
| Delta Attestations | Pro/Ent | Attestor | `IDeltaAttestationService.cs` (VEX/SBOM/Verdict/Reachability) | - | - | Implemented |
| Offline/Air-Gap Bundles | Enterprise | Attestor | `IAttestorBundleService.cs` | - | `/ops/offline-kit` | Implemented |
### Predicate Types (25+ Types)
**Standard Predicates:**
| Predicate | Parser | Purpose |
|-----------|--------|---------|
| SPDX | `SpdxPredicateParser.cs` | SBOM attestation (2.2/2.3/3.0.1) |
| CycloneDX | `CycloneDxPredicateParser.cs` | SBOM attestation (1.7) |
| SLSA Provenance | `SlsaProvenancePredicateParser.cs` | Build provenance (v1.0) |
| VEX Override | `VexOverridePredicateParser.cs` | VEX decision overrides |
| Binary Diff | `BinaryDiffPredicateBuilder.cs` | Binary change attestation |
**Stella-Ops Specific Predicates:**
- AIArtifactBasePredicate, AIAuthorityClassifier, AIExplanationPredicate
- AIPolicyDraftPredicate, AIRemediationPlanPredicate, AIVexDraftPredicate
- BinaryFingerprintEvidencePredicate, BudgetCheckPredicate, ChangeTracePredicate
- DeltaVerdictPredicate, EvidencePredicate, PolicyDecisionPredicate
- ProofSpinePredicate, ReachabilityDriftPredicate, ReachabilitySubgraphPredicate
- SbomDeltaPredicate, UnknownsBudgetPredicate, VerdictDeltaPredicate
- VexDeltaPredicate, VexPredicate, TrustVerdictPredicate, FixChainPredicate
### CLI Commands (Attestation & Signing)
| Command | Description | Status |
|---------|-------------|--------|
| `stella attest attach` | Attach DSSE attestation to OCI artifact | Implemented |
| `stella attest verify` | Verify attestations on OCI artifact | Implemented |
| `stella attest list` | List attestations on OCI artifact | Implemented |
| `stella attest fetch` | Fetch specific attestation by predicate type | Implemented |
| `stella attest fix-chain` | FixChain attestation command | Implemented |
| `stella attest patch` | Patch attestation command | Implemented |
| `stella sign keyless` | Sigstore keyless signing | Implemented |
| `stella sign verify-keyless` | Verify keyless signature | Implemented |
### Signing Modes
| Mode | Description | Key Files |
|------|-------------|-----------|
| Keyless | Fulcio-based ephemeral keys | `KeylessDsseSigner.cs` |
| KMS | External key management system | `CryptoDsseSigner.cs` |
| HMAC | HMAC-based signing | `HmacDsseSigner.cs` |
### Crypto Algorithm Support
| Algorithm | Files | Purpose |
|-----------|-------|---------|
| RSA | `CryptoDsseSigner.cs` | Traditional RSA signing |
| ECDSA | `CryptoDsseSigner.cs` | Elliptic curve signing |
| SM2 | `CryptoDsseSigner.cs` | Chinese national standard |
### API Endpoints (Attestor)
| Endpoint | Purpose |
|----------|---------|
| `/api/v1/anchors` | Attestation anchors |
| `/api/v1/bundles` | DSSE bundle operations |
| `/api/v1/chains` | Attestation chain queries |
| `/api/v1/proofs` | Proof operations |
| `/api/v1/verify` | Verification endpoints |
### API Endpoints (Signer)
| Endpoint | Purpose |
|----------|---------|
| `POST /sign` | Sign artifact |
| `POST /sign/verify` | Verify signature |
| `GET /keys` | List signing keys |
| `POST /keys/rotate` | Rotate signing key |
| `POST /keys/revoke` | Revoke signing key |
### Coverage Gaps (Attestation)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Key Rotation | No (API only) | No | Add `stella keys rotate` CLI |
| Trust Anchor Management | No | No | Consider trust anchor CLI |
| Attestation Chains UI | No | Partial | Chain visualization needed |
| Predicate Registry | No | No | Consider `stella attest predicates list` |
---
## Regional Crypto (Cryptography, SmRemote)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| EdDSA (Ed25519) Baseline | Free/Pro/Ent | Cryptography | `Ed25519Signer.cs`, `Ed25519Verifier.cs` | - | - | Implemented |
| ECDSA P-256 (FIPS) | Pro/Ent | Cryptography | `EcdsaP256Signer.cs` | - | - | Implemented |
| FIPS 140-2 Plugin | Enterprise | Cryptography | `FipsPlugin.cs` (RSA, ECDSA, AES) | - | - | Implemented |
| GOST R 34.10-2012 Plugin | Enterprise | Cryptography | `GostPlugin.cs` (256/512-bit) | - | - | Implemented |
| SM2/SM3/SM4 Plugin | Enterprise | Cryptography | `SmPlugin.cs` | - | - | Implemented |
| eIDAS Plugin | Enterprise | Cryptography | `EidasPlugin.cs` (CAdES, RFC 3161) | - | - | Implemented |
| HSM Plugin (PKCS#11) | Enterprise | Cryptography | `HsmPlugin.cs` | - | - | Implemented |
| CryptoPro GOST | Enterprise | Cryptography | `CryptoProGostCryptoProvider.cs` (Windows) | - | - | Implemented |
| SM Remote Service | Enterprise | SmRemote | `Program.cs` (SM2 signing service) | - | - | Implemented |
| Multi-Profile Signing | Enterprise | Cryptography | `MultiProfileSigner.cs` | - | - | Implemented |
| Post-Quantum (Defined) | Future | Cryptography | `SignatureProfile.cs` (Dilithium, Falcon) | - | - | Planned |
### Signature Profiles (8 Defined)
| Profile | Standard | Algorithm | Status |
|---------|----------|-----------|--------|
| EdDsa | RFC 8032 | Ed25519 | Implemented |
| EcdsaP256 | FIPS 186-4 | ES256 | Implemented |
| RsaPss | FIPS 186-4, RFC 8017 | PS256/384/512 | Implemented |
| Gost2012 | GOST R 34.10-2012 | GOST 256/512-bit | Implemented |
| SM2 | GM/T 0003.2-2012 | SM2-SM3 | Implemented |
| Eidas | ETSI TS 119 312 | RSA-SHA*, ECDSA-SHA* | Implemented |
| Dilithium | NIST PQC | CRYSTALS-Dilithium | Planned |
| Falcon | NIST PQC | Falcon-512/1024 | Planned |
### Regional Compliance Matrix
| Region | Standard | Plugin | Algorithms |
|--------|----------|--------|------------|
| US | FIPS 140-2 | FipsPlugin | RSA-SHA*, ECDSA-P256/384/521, AES-GCM |
| Russia | GOST R 34.10-2012 | GostPlugin, CryptoPro | GOST 256/512-bit signatures |
| China | GM/T 0003-0004 | SmPlugin, SmRemote | SM2, SM3, SM4-CBC/GCM |
| EU | eIDAS | EidasPlugin | CAdES-BES, XAdES-BES, RFC 3161 TSA |
| Hardware | PKCS#11 | HsmPlugin | HSM-RSA, HSM-ECDSA, HSM-AES |
### Key Service Interfaces
| Interface | Purpose |
|-----------|---------|
| `IContentSigner` | Core signing abstraction |
| `IContentVerifier` | Signature verification |
| `ICryptoCapability` | Plugin capability reporting |
| `IHsmClient` | HSM abstraction (simulated/PKCS#11) |
### Plugin Configuration Options
**FIPS Plugin:**
- RequireFipsMode, RsaKeySize (2048-4096), EcdsaCurve (P-256/384/521)
**GOST Plugin:**
- KeyStorePath, DefaultKeyId, PrivateKeyBase64, KeySize (256/512)
**SM Plugin:**
- PrivateKeyHex, GenerateKeyOnInit, UserId
**eIDAS Plugin:**
- CertificatePath, TimestampAuthorityUrl, ValidateCertificateChain
**HSM Plugin:**
- LibraryPath, SlotId, Pin, TokenLabel
### Coverage Gaps (Regional Crypto)
| Feature | Has CLI | Has UI | Notes |
|---------|---------|--------|-------|
| Crypto Profile Selection | No | No | Configuration-only, no CLI |
| Key Management | No | No | Plugin-specific configuration |
| Post-Quantum Crypto | No | No | Profiles defined but not implemented |
| HSM Status | No | No | Consider health check endpoint |
---
## Evidence & Findings (EvidenceLocker, Findings, ExportCenter)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Sealed Evidence Bundles | Pro/Ent | EvidenceLocker | `S3EvidenceObjectStore.cs` (WORM) | `stella evidence export` | `/evidence-export` | Implemented |
| Verdict Attestations | Pro/Ent | EvidenceLocker | `VerdictEndpoints.cs`, `VerdictContracts.cs` | - | `/evidence-export` | Implemented |
| Append-Only Ledger | Pro/Ent | Findings | `ILedgerEventRepository.cs`, `LedgerEventModels.cs` | - | `/findings` | Implemented |
| Alert Triage Workflow | Pro/Ent | Findings | `DecisionModels.cs` (hot/warm/cold bands) | - | `/findings` | Implemented |
| Merkle Anchoring | Pro/Ent | Findings | `Infrastructure/Merkle/` | - | - | Implemented |
| Evidence Packs | Pro/Ent | Evidence.Pack | `IEvidencePackService.cs`, `EvidencePack.cs` | - | `/evidence-thread` | Implemented |
| Evidence Cards | Pro/Ent | Evidence.Pack | `IEvidenceCardService.cs`, `EvidenceCard.cs` | - | - | Implemented |
| Profile-Based Exports | Pro/Ent | ExportCenter | `ExportApiEndpoints.cs`, `ExportProfile` | - | `/evidence-export` | Implemented |
| Risk Bundle Export | Enterprise | ExportCenter | `RiskBundleEndpoints.cs` | - | `/evidence-export` | Implemented |
| Lineage Evidence Export | Enterprise | ExportCenter | `LineageExportEndpoints.cs` | - | `/lineage` | Implemented |
| Offline Verification | Enterprise | EvidenceLocker | `verify-offline.md` | `stella evidence verify --offline` | - | Implemented |
### CLI Commands (Evidence)
| Command | Description | Status |
|---------|-------------|--------|
| `stella evidence export` | Export evidence bundle (--bundle, --format, --compression) | Implemented |
| `stella evidence verify` | Verify bundle (--offline, --rekor-key) | Implemented |
| `stella evidence status` | Bundle status check | Implemented |
### UI Routes (Evidence)
| Route | Feature | Status |
|-------|---------|--------|
| `/evidence-export` | Evidence bundle management and export | Implemented |
| `/evidence-thread` | Evidence thread visualization | Implemented |
| `/findings` | Findings ledger with triage | Implemented |
---
## Determinism & Replay (Replay, Signals, HLC)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Hybrid Logical Clock | Pro/Ent | HybridLogicalClock | `HybridLogicalClock.cs`, `HlcTimestamp.cs` | - | - | Implemented |
| Canonical JSON (RFC 8785) | Pro/Ent | Canonical.Json | `CanonJson.cs` | - | - | Implemented |
| Replay Manifests (V1/V2) | Pro/Ent | Replay.Core | `ReplayManifest.cs`, `KnowledgeSnapshot.cs` | `stella scan replay` | - | Implemented |
| Evidence Weighted Scoring | Pro/Ent | Signals | `EvidenceWeightedScoreCalculator.cs` (6 factors) | - | - | Implemented |
| Timeline Events | Pro/Ent | Eventing | `TimelineEvent.cs`, `ITimelineEventEmitter.cs` | - | - | Implemented |
| Replay Proofs | Pro/Ent | Replay.Core | `ReplayProof.cs`, `ReplayManifestValidator.cs` | `stella prove` | - | Implemented |
| Deterministic Event IDs | Pro/Ent | Eventing | `EventIdGenerator.cs` (SHA-256 based) | - | - | Implemented |
| Attested Reduction | Pro/Ent | Signals | Short-circuit rules for anchored VEX | - | - | Implemented |
### Evidence Weighted Scoring (6 Factors)
| Factor | Symbol | Weight | Description |
|--------|--------|--------|-------------|
| Reachability | RCH | Configurable | Static/runtime reachability |
| Runtime | RTS | Configurable | Runtime telemetry |
| Backport | BKP | Configurable | Backport evidence |
| Exploit | XPL | Configurable | Exploit likelihood (EPSS) |
| Source Trust | SRC | Configurable | Feed trustworthiness |
| Mitigations | MIT | Configurable | Mitigation evidence (reduces score) |
### CLI Commands (Replay)
| Command | Description | Status |
|---------|-------------|--------|
| `stella scan replay` | Deterministic verdict reproduction | Implemented |
| `stella prove` | Generate replay proofs | Implemented |
| `stella verify --proof` | Verify replay proofs | Implemented |
---
## Operations (Scheduler, Orchestrator, TaskRunner, TimelineIndexer)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Job Scheduling | Pro/Ent | Scheduler | `IGraphJobService.cs`, `RunEndpoints.cs` | - | `/ops/scheduler` | Implemented |
| Impact Targeting | Pro/Ent | Scheduler | `IImpactIndex.cs` (Roaring bitmaps) | - | - | Implemented |
| Job Orchestration | Pro/Ent | Orchestrator | `IJobRepository.cs`, `Job.cs` | - | `/orchestrator` | Implemented |
| Dead Letter Queue | Pro/Ent | Orchestrator | `DeadLetterEntry.cs`, `DeadLetterEndpoints.cs` | - | `/orchestrator` | Implemented |
| Task Pack Execution | Pro/Ent | TaskRunner | `ITaskRunnerClient.cs`, `PackRunWorkerService.cs` | - | - | Implemented |
| Plan-Hash Binding | Pro/Ent | TaskRunner | Deterministic execution validation | - | - | Implemented |
| Timeline Indexing | Pro/Ent | TimelineIndexer | `ITimelineQueryService.cs`, `TimelineEventView.cs` | - | - | Implemented |
| Lease Management | Pro/Ent | Orchestrator | `LeaseNextAsync()`, `ExtendLeaseAsync()` | - | - | Implemented |
### API Endpoints (Operations)
**Scheduler:**
- `POST /api/v1/scheduler/runs` - Create run
- `GET /api/v1/scheduler/runs/{runId}/stream` - SSE stream
- `POST /api/v1/scheduler/runs/preview` - Dry-run preview
**Orchestrator:**
- `GET /api/v1/orchestrator/jobs` - List jobs
- `GET /api/v1/orchestrator/dag` - Job DAG
- `GET /api/v1/orchestrator/deadletter` - Dead letter queue
- `GET /api/v1/orchestrator/kpi` - KPI metrics
**TaskRunner:**
- `POST /api/runs` - Create pack run
- `GET /api/runs/{runId}/logs` - SSE log stream
- `POST /api/runs/{runId}/approve` - Approval decision
### UI Routes (Operations)
| Route | Feature | Status |
|-------|---------|--------|
| `/ops/scheduler` | Scheduler runs and impact preview | Implemented |
| `/orchestrator` | Job dashboard and dead letters | Implemented |
---
## Release Orchestration (ReleaseOrchestrator)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Promotion Workflows | Enterprise | ReleaseOrchestrator | `GateModels.cs`, `StepModels.cs` | - | `/releases` | Implemented |
| Integration Hub | Enterprise | ReleaseOrchestrator | `IIntegrationManager.cs` | - | `/integrations` | Implemented |
| Deployment Agents | Enterprise | Agent.Core | `IAgentCapability.cs`, `ComposeCapability.cs` | - | - | Implemented |
| Plugin System (3-Surface) | Enterprise | ReleaseOrchestrator.Plugin | `IStepProviderCapability.cs`, `IGateProviderCapability.cs` | - | `/plugins` | Implemented |
| Gate Evaluation | Enterprise | ReleaseOrchestrator | `IGateEvaluator.cs` | - | `/releases` | Implemented |
| Step Execution | Enterprise | ReleaseOrchestrator | `IStepExecutor.cs` | - | - | Implemented |
| Connector Invoker | Enterprise | ReleaseOrchestrator | `IConnectorInvoker.cs` | - | - | Implemented |
### Integration Types
| Type | Description | Examples |
|------|-------------|----------|
| Scm | Source Control | GitHub, GitLab, Gitea |
| Ci | Continuous Integration | Jenkins, GitHub Actions |
| Registry | Container Registry | Docker Hub, Harbor, ACR, ECR, GCR |
| Vault | Secrets | HashiCorp Vault, Azure Key Vault |
| Notify | Notifications | Slack, Teams, Email, Webhooks |
| SettingsStore | Config | Consul, etcd, Parameter Store |
### Deployment Agent Types
| Agent | Key Files | Tasks |
|-------|-----------|-------|
| Docker Compose | `ComposeCapability.cs` | pull, up, down, scale, health-check, ps |
| SSH/WinRM | (planned) | Remote execution |
| ECS | (planned) | AWS ECS deployment |
| Nomad | (planned) | HashiCorp Nomad |
---
## Auth & Access Control (Authority, Registry)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| OAuth2/OIDC Token Service | Free/Pro/Ent | Authority | `IStellaOpsTokenClient.cs` | `stella auth` | `/login` | Implemented |
| DPoP (Proof-of-Possession) | Pro/Ent | Authority | DPoP header injection | - | - | Implemented |
| mTLS Certificate Binding | Enterprise | Authority | `cnf.x5t#S256` tokens | - | - | Implemented |
| 75+ Authorization Scopes | Pro/Ent | Authority | `StellaOpsScopes.cs` | - | - | Implemented |
| Registry Token Service | Pro/Ent | Registry | `RegistryTokenIssuer.cs` | - | - | Implemented |
| Plan-Based Authorization | Pro/Ent | Registry | `PlanRegistry.cs` | - | - | Implemented |
| LDAP Integration | Enterprise | Authority.Plugin.Ldap | LDAP connector | - | `/admin` | Implemented |
| Device Code Flow | Pro/Ent | Authority | CLI headless login | `stella auth login` | - | Implemented |
### Authentication Flows
| Flow | Use Case |
|------|----------|
| Client Credentials | Service-to-service |
| Device Code | CLI headless login |
| Authorization Code + PKCE | Web UI browser login |
| DPoP Handshake | Proof-of-possession for all API calls |
### Scope Categories
| Category | Example Scopes |
|----------|---------------|
| Signer | `signer.sign` |
| Scanner | `scanner:scan`, `scanner:export` |
| VEX | `vex:read`, `vex:ingest` |
| Policy | `policy:author`, `policy:approve`, `policy:publish` |
| Authority Admin | `authority:tenants.write`, `authority:roles.write` |
---
## Notifications & Integrations (Notify, Notifier, Integrations, Zastava)
| Feature | Tiers | Module | Key Files | CLI | UI | Status |
|---------|-------|--------|-----------|-----|----|----|
| Multi-Channel Notifications | Pro/Ent | Notify | `NotifyChannel.cs`, `NotifyEvent.cs` | - | `/notifications` | Implemented |
| Rule-Based Routing | Pro/Ent | Notify | `NotifyRule.cs`, `INotifyRuleEvaluator.cs` | - | `/notifications` | Implemented |
| Incident Correlation | Pro/Ent | Notifier | `ICorrelationEngine.cs` | - | `/incidents` | Implemented |
| Escalation Policies | Pro/Ent | Notifier | `EscalationEndpoints.cs` | - | `/notifications` | Implemented |
| Storm Breaker | Pro/Ent | Notifier | `StormBreakerEndpoints.cs` | - | - | Implemented |
| External Integrations | Enterprise | Integrations | `IIntegrationConnectorPlugin.cs` | - | `/integrations` | Implemented |
| Kubernetes Admission | Enterprise | Zastava | `AdmissionEndpoint.cs`, `AdmissionDecision.cs` | - | - | Implemented |
| Runtime Event Collection | Enterprise | Zastava | `RuntimeEvent.cs`, `RuntimeEventFactory.cs` | - | - | Implemented |
### Notification Channels (10 Types)
| Channel | Adapter | Status |
|---------|---------|--------|
| Slack | `SlackChannelAdapter.cs` | Implemented |
| Teams | `ChatWebhookChannelAdapter.cs` | Implemented |
| Email | `EmailChannelAdapter.cs` | Implemented |
| Webhook | `ChatWebhookChannelAdapter.cs` | Implemented |
| PagerDuty | `PagerDutyChannelAdapter.cs` | Implemented |
| OpsGenie | `OpsGenieChannelAdapter.cs` | Implemented |
| CLI | `CliChannelAdapter.cs` | Implemented |
| InApp | `InAppChannelAdapter.cs` | Implemented |
| InAppInbox | `InAppInboxChannelAdapter.cs` | Implemented |
| Custom | Plugin-based | Implemented |
### Runtime Event Types (Zastava)
| Event Kind | Description |
|------------|-------------|
| ContainerStart | Container lifecycle start |
| ContainerStop | Container lifecycle stop |
| Drift | Filesystem/binary changes |
| PolicyViolation | Policy rule breach |
| AttestationStatus | Signature/attestation verification |
---
## Summary Statistics
| Category | Count |
|----------|-------|
| Total Features in Matrix | ~200 original |
| Discovered Features | 200+ additional |
| CLI Commands | 80+ |
| UI Routes | 75+ |
| API Endpoints | 500+ |
| Service Interfaces | 300+ |
| Language Analyzers | 11+ |
| Advisory Connectors | 33+ |
| Notification Channels | 10 |
| Crypto Profiles | 8 |
| Policy Gate Types | 10+ |
| Risk Score Providers | 6 |
| Attestation Predicates | 25+ |
---
*Document generated via automated feature extraction from Stella Ops codebase (20,723+ .cs files across 1,024 projects)*
Reference in New Issue View Git Blame Copy Permalink