6.5 KiB
Executable File
6.5 KiB
Executable File
Stella Ops Suite Documentation
Stella Ops Suite is a centralized, auditable release control plane for non‑Kubernetes container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision.
The platform combines:
- Release orchestration — UI-driven promotion (Dev -> Stage -> Prod), approvals, policy gates, rollbacks, and step-graph execution (sequential/parallel) with per-step logs
- Security decisioning as a gate — scan on build, evaluate on release, re-evaluate on vulnerability intel updates
- OCI-digest-first releases — immutable digest-based release identity with authoritative "what is deployed where" tracking
- Toolchain-agnostic integrations — plug into any SCM, CI, registry, secrets system, and host access method via plugins
- Auditability + standards — evidence packets, SBOM/VEX/attestation support, deterministic replay and explainable decisions
Verified vs Unverified Releases
Stella supports two operational modes:
- Verified releases (recommended): promotions require Stella evidence for each new digest (SBOM + reachability + policy decision record + approvals where configured). Intended for certifiable security and audit-grade releases.
- Unverified releases (CD-only): orchestration is allowed with evidence gates bypassed. Still tracked and logged, but not intended for security certification.
This documentation emphasizes the verified release path as the primary product value.
Licensing model (documentation-level summary)
Stella Ops Suite uses no feature gating across plans. Licensing limits apply only to:
- Environments
- New digests deep-scanned per month (evidence-grade analysis of previously unseen OCI digests)
Deployment targets are not licensed (unlimited targets; fair use may apply only under abusive automation patterns).
(See your offer/pricing document if present in the repo; commonly stored under docs/product/.)
Two Levels of Documentation
- High-level (canonical): curated guides in
docs/*.md. - Detailed (reference): deep dives under
docs/**(module dossiers, architecture notes, API contracts/samples, runbooks, schemas). Entry point:docs/technical/README.md.
This documentation set is internal and does not keep compatibility stubs for old paths. Content is consolidated to reduce duplication and outdated pages.
Start Here
Product Understanding
| Goal | Open this |
|---|---|
| Understand the product in 2 minutes | overview.md |
| Browse capabilities | key-features.md |
| Feature matrix | FEATURE_MATRIX.md |
| Product vision | product/VISION.md |
| Roadmap (priorities + definition of "done") | ROADMAP.md |
| Verified release model (concepts + evidence) | VERIFIED_RELEASES.md |
Getting Started
| Goal | Open this |
|---|---|
| First run (minimal install) | quickstart.md |
| Run a first scan (CLI) | quickstart.md |
| Run a first verified promotion (Dev -> Stage -> Prod) | RELEASE_PROCESS.md |
| Ingest advisories (Concelier + CLI) | CONCELIER_CLI_QUICKSTART.md |
| Console (Web UI) operator guide | UI_GUIDE.md |
| Doctor / self-service diagnostics | DOCTOR_GUIDE.md |
| Offline / air-gap operations | OFFLINE_KIT.md |
Architecture
| Goal | Open this |
|---|---|
| Architecture: high-level overview | ARCHITECTURE_OVERVIEW.md |
| Architecture: full reference map | ARCHITECTURE_REFERENCE.md |
| Architecture: user flows (UML) | technical/architecture/user-flows.md |
| Architecture: module matrix | technical/architecture/module-matrix.md |
| Architecture: data flows | technical/architecture/data-flows.md |
| Architecture: schema mapping | technical/architecture/schema-mapping.md |
| Release Orchestrator architecture | modules/release-orchestrator/architecture.md |
| Evidence and attestations | modules/evidence/README.md |
Development & Operations
| Goal | Open this |
|---|---|
| Engineering rules (determinism, security, docs discipline) | code-of-conduct/CODE_OF_CONDUCT.md |
| Testing standards and evidence expectations | code-of-conduct/TESTING_PRACTICES.md |
| Develop plugins/connectors | PLUGIN_SDK_GUIDE.md |
| Security deployment hardening | SECURITY_HARDENING_GUIDE.md |
| VEX consensus and issuer trust | VEX_CONSENSUS_GUIDE.md |
| Vulnerability Explorer guide | VULNERABILITY_EXPLORER_GUIDE.md |
Detailed Indexes
- Technical index (everything): docs/technical/README.md
- End-to-end workflow flows: docs/flows/
- Module dossiers: docs/modules/
- API contracts and samples: docs/api/
- Architecture notes / ADRs: docs/technical/architecture/, docs/technical/adr/
- Operations and deployment: docs/operations/
- Air-gap workflows: docs/modules/airgap/guides/
- Security deep dives: docs/security/
- Benchmarks and fixtures: docs/benchmarks/, docs/assets/
- Product advisories: docs/product/advisories/
Design Principles
- Offline-first: core operations work in air-gapped environments
- Deterministic replay: same inputs yield same outputs (stable ordering, canonical hashing)
- Evidence-linked decisions: every verified release decision links to concrete evidence artifacts
- Digest-first release identity: releases are immutable OCI digests, not mutable tags
- Pluggable everything: integrations are plugins; core orchestration is stable
- No feature gating: all plans include all features; licensing limits are environments + new digests deep-scanned per month; deployment targets are not licensed