stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7cfb683a52ea19cb49686d6e2e95380513708909
git.stella-ops.org/docs/key-features.md

289 lines
12 KiB
Markdown
Raw Blame History

# Key Features — Capability Cards
> **Core Thesis:** Stella Ops Suite isn't a scanner or a deployment tool—it's a **release control plane** that produces **attestable decisions that can be replayed**. Security is a gate, not a blocker. Evidence survives auditors, regulators, and supply-chain propagation.
> **Looking for the complete feature catalog?** See [`full-features-list.md`](full-features-list.md) for the comprehensive list, or [`FEATURE_MATRIX.md`](FEATURE_MATRIX.md) for tier-by-tier availability.
---
## At a Glance
| What Competitors Do | What Stella Ops Suite Does |
|--------------------|---------------------------|
| CI/CD runs pipelines | Central release authority across environments |
| Deployment tools promote | Promotion with integrated security gates |
| Scanners output findings | Security gates output decisions with proof chains |
| VEX as suppression file | VEX as logical claim system (K4 lattice) |
| Release identity via tags | Release identity via immutable digests |
| Per-seat/per-project pricing | Pay for environments + new digests/day |
| Online-first | Offline-first with full parity |
---
## Release Orchestration (Planned)
### 0. Release Control Plane
**The new core capability.** Stella Ops Suite becomes the central release authority between CI and runtime targets.
| Capability | What It Does |
|------------|--------------|
| **Environment management** | Define Dev/Stage/Prod with freeze windows and approval policies |
| **Release bundles** | Compose releases from component OCI digests with semantic versioning |
| **Promotion workflows** | DAG-based workflow engine with approvals, gates, and hooks |
| **Security gates** | Scan on build, evaluate on release, re-evaluate on CVE updates |
| **Deployment execution** | Deploy to Docker/Compose/ECS/Nomad via agents or agentless |
| **Evidence packets** | Every release decision is cryptographically signed and stored |
**Why it matters:** Non-Kubernetes container teams finally get a central release authority with audit-grade evidence—without replacing their existing CI/SCM/registry stack.
### 1. Digest-First Release Identity
**Tags are mutable; digests are truth.** A release is an immutable set of OCI digests, resolved at release creation time.
```
Release: myapp-v2.3.1
Components:
api: sha256:abc123...
worker: sha256:def456...
frontend: sha256:789ghi...
```
**What this enables:**
- Tamper detection at pull time (digest mismatch = deployment failure)
- Audit trail of exactly what was deployed
- Rollback to known-good digests, not "latest" tags
- "What is deployed where" tracking with integrity
**Modules (planned):** `ReleaseManager`, `ComponentRegistry`, `VersionManager`
### 2. Promotion Workflows with Security Gates
**Security integrated into release flow, not bolted on.** Promotion requests trigger gate evaluation before deployment.
| Gate Type | What It Checks |
|-----------|---------------|
| **Security gate** | Reachable critical/high vulnerabilities |
| **Approval gate** | Required approval count, separation of duties |
| **Freeze window gate** | Environment freeze windows |
| **Policy gate** | Custom OPA/Rego policies |
| **Previous environment gate** | Release deployed to prior environment |
**Decision records include:**
- All gate results with pass/fail reasons
- Evidence refs (scan verdicts, approval records)
- Policy hash + inputs hash for replay
- "Why blocked?" explainability
**Modules (planned):** `PromotionManager`, `ApprovalGateway`, `DecisionEngine`
### 3. Deployment Execution
**Deploy to non-Kubernetes targets as first-class citizens.** Agent-based or agentless deployment to Docker hosts, Compose, ECS, Nomad.
| Target Type | Deployment Method |
|-------------|-------------------|
| **Docker host** | Agent pulls and starts containers |
| **Compose host** | Agent writes `compose.stella.lock.yml` and runs `docker-compose up` |
| **ECS service** | Agent updates task definition and service |
| **Nomad job** | Agent updates job spec and submits |
| **SSH remote** | Agentless via SSH (Linux) |
| **WinRM remote** | Agentless via WinRM (Windows) |
**Generated artifacts:**
- `compose.stella.lock.yml`: Pinned digests, resolved environment refs
- `stella.version.json`: Version sticker on target for drift detection
- `release.evidence.json`: Decision record
**Modules (planned):** `DeployOrchestrator`, `Agent.*`, `ArtifactGenerator`
### 4. Progressive Delivery
**A/B releases and canary deployments.** Gradual rollout with automatic rollback on health failure.
| Strategy | Description |
|----------|-------------|
| **Immediate** | 0% → 100% instantly |
| **Canary** | 10% → 25% → 50% → 100% with health checks |
| **Blue-green** | Deploy to B, switch traffic, retire A |
| **Rolling** | 10% at a time with health checks |
**Traffic routing plugins:** Nginx, HAProxy, Traefik, AWS ALB
**Modules (planned):** `ABManager`, `TrafficRouter`, `CanaryController`
### 5. Plugin System (Three-Surface Model)
**Extensible without core code changes.** Plugins contribute through three surfaces.
| Surface | What It Does |
|---------|--------------|
| **Manifest** | Declares what the plugin provides (integrations, steps, agents) |
| **Connector runtime** | gRPC interface for runtime operations |
| **Step provider** | Execution characteristics for workflow steps |
**Plugin types:**
- **Integration connectors:** SCM (GitHub, GitLab), CI (Actions, Jenkins), Registry (Harbor, ECR), Vault (HashiCorp, AWS Secrets)
- **Step providers:** Custom workflow steps
- **Agent types:** New deployment targets
- **Gate providers:** Custom gate evaluations
**Modules (planned):** `PluginRegistry`, `PluginLoader`, `PluginSandbox`, `PluginSDK`
### 6. Doctor Self Service Diagnostics (Planned)
**Operators can self-diagnose integrations and services.** Doctor auto-discovers installed packs,
runs deterministic checks, and prints exact CLI fixes for every failure. Output includes JSONL
evidence logs and optional DSSE summaries for audits.
**Modules (planned):** `Doctor`, `IntegrationHub`, `CLI`, `Web`
**Spec:** `docs/doctor/doctor-capabilities.md`
---
## Security Capabilities (Operational)
### 7. Decision Capsules — Audit-Grade Evidence Bundles
**Every scan and release decision is sealed.** A Decision Capsule is a content-addressed bundle containing everything needed to reproduce and verify the decision.
| Component | What's Included |
|-----------|----------------|
| **Inputs** | Exact SBOM, frozen feed snapshots (with Merkle roots), policy version |
| **Evidence** | Reachability proofs (static + runtime), VEX statements, binary fingerprints |
| **Outputs** | Verdicts, risk scores, remediation paths |
| **Signatures** | DSSE envelopes over all of the above |
**Why it matters:** Auditors can replay any decision bit-for-bit. This is what "audit-grade assurance" actually means.
**Modules:** `EvidenceLocker`, `Attestor`, `Replay`
See `docs/modules/evidence-locker/export-format.md` and `docs/modules/evidence-locker/guides/evidence-pack-schema.md` for audit pack structure and verification.
### 8. Lattice Policy + OpenVEX (K4 Logic)
**VEX as a logical claim system, not a suppression file.** The policy engine uses Belnap K4 four-valued logic.
| State | Meaning |
|-------|---------|
| **Unknown (bottom)** | No information |
| **True** | Positive assertion |
| **False** | Negative assertion |
| **Conflict (top)** | Contradictory assertions |
**Why it matters:** When vendor says "not_affected" but runtime shows the function was called, you have a *conflict*—not a false positive.
**Modules:** `VexLens`, `TrustLatticeEngine`, `Policy`
### 9. Signed Reachability Proofs
**Proof of exploitability, not just a badge.** Every reachability graph is sealed with DSSE.
| Layer | What It Proves |
|-------|---------------|
| **Static** | Call graph shows path from entrypoint → vulnerable function |
| **Binary** | Compiled binary contains the symbol |
| **Runtime** | Process actually executed the code path |
**Why it matters:** "Here's the exact call path" vs "potentially reachable." Signed, not claimed.
**Modules:** `ReachGraph`, `PathWitnessBuilder`
### 10. Deterministic Replay
**The audit-grade guarantee.** Every scan produces a DSSE + SRM bundle that can be replayed.
```bash
# Six months later, prove what you knew
stella replay srm.yaml --assert-digest sha256:abc123...
# Output: PASS - identical result
```
**What's frozen:** Feed snapshots, analyzer versions, policy rules, random seeds.
**Modules:** `Replay`, `Scanner`, `Policy`
### 11. Sovereign Crypto Profiles
**Regional compliance without code changes.** FIPS, eIDAS, GOST, SM, and PQC profiles are configuration toggles.
| Profile | Use Case |
|---------|----------|
| **FIPS-140-3** | US federal |
| **eIDAS** | EU qualified signatures |
| **GOST-2012** | Russian Federation |
| **SM2** | People's Republic of China |
| **PQC** | Post-quantum readiness |
**Modules:** `Cryptography`, `CryptoProfile`
### 12. Offline Operations (Air-Gap Parity)
**Full functionality without network.** Offline Update Kits bundle everything needed.
| Component | Offline Method |
|-----------|----------------|
| Feed updates | Sealed bundle with Merkle roots |
| Crypto verification | Embedded revocation lists |
| Transparency logging | Local transparency mirror |
**Modules:** `AirGap.Controller`, `TrustStore`
### 13. Controlled Conversational Advisor
**Ask Stella with guardrails.** Operators can query evidence and receive cited answers while tool actions remain policy-gated and audited.
Key controls:
- Chat Gateway quotas and token budgets per user/org.
- Scrubber for secrets/PII and allowlisted tool calls only.
- Immutable audit log for prompts, redactions, tool calls, and model fingerprints.
**Modules:** `AdvisoryAI`, `Policy`, `Authority`, `CLI`, `Web`, `Gateway`
### 14. AI Code Guard for AI-Assisted Code
**Catch security, IP, and license risks in AI-assisted changes.** Fast guard checks run on code diffs and produce evidence for deterministic policy gates.
Key controls:
- Secrets and unsafe API detection with new vs pre-existing classification.
- Snippet similarity against allowlist and denylist corpora.
- License hygiene on dependency diffs and long snippet attribution.
- Overrides with audit (issue link, expiry, role-based approval).
**Modules:** `Scanner`, `Policy`, `CLI`, `Integrations`, `Attestor`, `Web`
**Docs:** `docs/modules/scanner/operations/ai-code-guard.md`, `docs/modules/policy/guides/ai-code-guard-policy.md`
---
## Competitive Moats Summary
**Eight capabilities no competitor offers together:**
| # | Capability | Category |
|---|-----------|----------|
| 1 | **Non-Kubernetes Specialization** | Release orchestration |
| 2 | **Digest-First Release Identity** | Release orchestration |
| 3 | **Security Gates in Promotion Flow** | Release orchestration |
| 4 | **Signed Reachability Proofs** | Security |
| 5 | **Deterministic Replay** | Security |
| 6 | **Sovereign + Offline Operation** | Operations |
| 7 | **Controlled Conversational Advisor** | Security |
| 8 | **AI Code Guard for AI-Assisted Code** | Security |
**Pricing moat:** No per-seat, per-project, or per-deployment tax. Limits are environments + new digests/day.
---
## Quick Reference
### Key Documents
- **Product Vision**: [`docs/product/VISION.md`](product/VISION.md)
- **Architecture Overview**: [`docs/ARCHITECTURE_OVERVIEW.md`](ARCHITECTURE_OVERVIEW.md)
- **Release Orchestrator Architecture**: [`docs/modules/release-orchestrator/architecture.md`](modules/release-orchestrator/architecture.md)
- **Competitive Landscape**: [`docs/product/competitive-landscape.md`](product/competitive-landscape.md)
- **Quickstart**: [`docs/quickstart.md`](quickstart.md)
- **Feature Matrix**: [`docs/FEATURE_MATRIX.md`](FEATURE_MATRIX.md)
- **Controlled Conversational Interface Advisory**: [`docs-archived/product/advisories/13-Jan-2026 - Controlled Conversational Interface.md`](../docs-archived/product/advisories/13-Jan-2026%20-%20Controlled%20Conversational%20Interface.md)
Reference in New Issue View Git Blame Copy Permalink