745 lines
50 KiB
Markdown
745 lines
50 KiB
Markdown
# Feature Gaps Report - Stella Ops Suite
|
|
*(Auto-generated during feature matrix completion)*
|
|
|
|
This report documents:
|
|
1. Features discovered in code but not listed in FEATURE_MATRIX.md
|
|
2. CLI/UI coverage gaps for existing features
|
|
|
|
---
|
|
|
|
## Batch 1: SBOM & Ingestion
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| SPDX 3.0 Build Attestation | Attestor | `BuildAttestationMapper.cs`, `DsseSpdx3Signer.cs`, `CombinedDocumentBuilder.cs` | - | - | Attestation & Signing |
|
|
| CycloneDX CBOM Support | Scanner | `CycloneDxCbomWriter.cs` | - | - | SBOM & Ingestion |
|
|
| Trivy DB Export (Offline) | Concelier | `TrivyDbExporterPlugin.cs`, `TrivyDbOrasPusher.cs`, `TrivyDbExportPlanner.cs` | `stella db export trivy` | - | Offline & Air-Gap |
|
|
| Layer SBOM Composition | Scanner | `SpdxLayerWriter.cs`, `CycloneDxLayerWriter.cs`, `LayerSbomService.cs` | `stella sbomer layer`, `stella scan layer-sbom` | - | SBOM & Ingestion |
|
|
| SBOM Advisory Matching | Concelier | `SbomAdvisoryMatcher.cs`, `SbomRegistryService.cs`, `ValkeyPurlCanonicalIndex.cs` | - | - | Advisory Sources |
|
|
| Graph Lineage Service | Graph | `IGraphLineageService.cs`, `InMemoryGraphLineageService.cs`, `LineageContracts.cs` | - | `/graph` | SBOM & Ingestion |
|
|
| Evidence Cards (SBOM excerpts) | Evidence.Pack | `IEvidenceCardService.cs`, `EvidenceCardService.cs`, `EvidenceCard.cs` | - | Evidence drawer | Evidence & Findings |
|
|
| AirGap SBOM Parsing | AirGap | `SpdxParser.cs`, `CycloneDxParser.cs` | - | `/ops/offline-kit` | Offline & Air-Gap |
|
|
| SPDX License Normalization | Scanner | `SpdxLicenseNormalizer.cs`, `SpdxLicenseExpressions.cs`, `SpdxLicenseList.cs` | - | - | Scanning & Detection |
|
|
| SBOM Format Conversion | Scanner | `SpdxCycloneDxConverter.cs` | - | - | SBOM & Ingestion |
|
|
| SBOM Validation Pipeline | Scanner | `SbomValidationPipeline.cs`, `SemanticSbomExtensions.cs` | - | - | SBOM & Ingestion |
|
|
| CycloneDX Evidence Mapping | Scanner | `CycloneDxEvidenceMapper.cs` | - | - | SBOM & Ingestion |
|
|
| CycloneDX Pedigree Mapping | Scanner | `CycloneDxPedigreeMapper.cs` | - | - | SBOM & Ingestion |
|
|
| SBOM Snapshot Export | Graph | `SbomSnapshot.cs`, `SbomSnapshotExporter.cs` | - | - | Evidence & Findings |
|
|
| Lineage Evidence Packs | ExportCenter | `ILineageEvidencePackService.cs`, `LineageEvidencePack.cs`, `LineageExportEndpoints.cs` | - | `/triage/audit-bundles` | Evidence & Findings |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Delta-SBOM Cache | SbomService | No | No | Internal optimization - no action needed |
|
|
| SBOM Lineage Ledger | SbomService | No | Yes | Add `stella sbom lineage list/show` commands |
|
|
| SBOM Lineage API | SbomService | No | Yes | Add `stella sbom lineage export` command |
|
|
| SPDX 3.0 Build Attestation | Attestor | No | No | Add to Attestation & Signing matrix section |
|
|
| Graph Lineage Service | Graph | No | Yes | Consider `stella graph lineage` command |
|
|
| Trivy DB Export | Concelier | Partial | No | `stella db export trivy` exists but may need UI |
|
|
|
|
---
|
|
|
|
## Batch 2: Scanning & Detection
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| Secrets Detection (Regex+Entropy) | Scanner | `SecretsAnalyzer.cs`, `RegexDetector.cs`, `EntropyDetector.cs`, `CompositeSecretDetector.cs` | `stella scan run` | `/findings` | Scanning & Detection |
|
|
| OS Analyzers - Dpkg (Debian/Ubuntu) | Scanner | `DpkgPackageAnalyzer.cs`, `DpkgStatusParser.cs` | `stella scan run` | `/findings` | Scanning & Detection |
|
|
| OS Analyzers - Apk (Alpine) | Scanner | `ApkPackageAnalyzer.cs`, `ApkDatabaseParser.cs` | `stella scan run` | `/findings` | Scanning & Detection |
|
|
| OS Analyzers - RPM (RHEL/CentOS) | Scanner | `RpmPackageAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
|
|
| OS Analyzers - Homebrew (macOS) | Scanner | `HomebrewPackageAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
|
|
| OS Analyzers - macOS Bundles | Scanner | `MacOsBundleAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
|
|
| OS Analyzers - Windows (Chocolatey/MSI/WinSxS) | Scanner | `ChocolateyAnalyzer.cs`, `MsiAnalyzer.cs`, `WinSxSAnalyzer.cs` | `stella scan run` | `/findings` | Scanning & Detection |
|
|
| Symbol-Level Vulnerability Matching | Scanner | `VulnSurfaceService.cs`, `AdvisorySymbolMapping.cs`, `AffectedSymbol.cs` | - | - | Scanning & Detection |
|
|
| SARIF 2.1.0 Export | Scanner | SARIF export in CLI | `stella scan sarif` | - | Scanning & Detection |
|
|
| Fidelity Upgrade (Quick->Standard->Deep) | Scanner | `FidelityAwareAnalyzer.UpgradeFidelityAsync()` | - | - | Scanning & Detection |
|
|
| OCI Multi-Architecture Support | Scanner | `OciImageInspector.cs` (amd64, arm64, etc.) | `stella image inspect` | - | Scanning & Detection |
|
|
| Symlink Resolution (32-level depth) | Scanner | `LayeredRootFileSystem.cs` | - | - | Scanning & Detection |
|
|
| Whiteout File Support | Scanner | `LayeredRootFileSystem.cs` | - | - | Scanning & Detection |
|
|
| NATS/Redis Scan Queue | Scanner | `NatsScanQueue.cs`, `RedisScanQueue.cs` | - | `/ops/scanner` | Operations |
|
|
| Determinism Controls | Scanner | `DeterminismContext.cs`, `DeterministicTimeProvider.cs`, `DeterministicRandomProvider.cs` | `stella scan replay` | `/ops/scanner` | Determinism & Reproducibility |
|
|
| Lease-Based Job Processing | Scanner | `LeaseHeartbeatService.cs`, `ScanJobProcessor.cs` | - | - | Operations |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| License-Risk Detection | Scanner | No | No | Planned Q4-2025 - not yet implemented |
|
|
| Secrets Detection | Scanner | Implicit | Implicit | Document in matrix (runs automatically during scan) |
|
|
| OS Package Analyzers | Scanner | Implicit | Implicit | Document in matrix (6 OS-level analyzers) |
|
|
| Symbol-Level Matching | Scanner | No | No | Advanced feature - consider exposing in findings detail |
|
|
| SARIF Export | Scanner | Yes | No | Consider adding SARIF download in UI |
|
|
| Concurrent Worker Config | Scanner | No | Yes | CLI option for worker count would help CI/CD |
|
|
|
|
---
|
|
|
|
## Batch 3: Reachability Analysis
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| 8-State Reachability Lattice | Reachability.Core | `ReachabilityLattice.cs` (28 state transitions) | - | `/reachability` | Reachability Analysis |
|
|
| Confidence Calculator | Reachability.Core | `ConfidenceCalculator.cs` (path/guard/hit bonuses) | - | - | Reachability Analysis |
|
|
| Evidence Weighted Score (EWS) | Signals | `EvidenceWeightedScoreCalculator.cs` (6 dimensions: RCH/RTS/BKP/XPL/SRC/MIT) | - | - | Scoring & Risk |
|
|
| Attested Reduction Scoring | Signals | VEX anchoring with short-circuit rules | - | - | Scoring & Risk |
|
|
| Hybrid Reachability Query | Reachability.Core | `IReachabilityIndex.cs` (static/runtime/hybrid/batch modes) | `stella reachgraph slice` | `/reachability` | Reachability Analysis |
|
|
| Reachability Replay/Verify | ReachGraph | `IReachabilityReplayService.VerifyAsync()` | `stella reachgraph replay/verify` | - | Determinism & Reproducibility |
|
|
| Graph Triple-Layer Storage | ReachGraph | `ReachGraphStoreService.cs` (Cache->DB->Archive) | - | - | Operations |
|
|
| Per-Graph Signing | ReachGraph | SHA256 artifact/provenance digests | - | - | Attestation & Signing |
|
|
| GraphViz/Mermaid Export | CLI | `stella reachability show --format dot/mermaid` | `stella reachability show` | - | Reachability Analysis |
|
|
| Reachability Drift Alerts | Docs | `19-reachability-drift-alert-flow.md` (state transition monitoring) | `stella drift` | - | Reachability Analysis |
|
|
| Evidence URIs | ReachGraph | `stella://reachgraph/{digest}/slice/{symbolId}` format | - | - | Evidence & Findings |
|
|
| Environment Guard Detection | Scanner | 20+ patterns (process.env, sys.platform, etc.) | - | `/reachability` | Reachability Analysis |
|
|
| Dynamic Loading Detection | Scanner | require(variable), import(variable), Class.forName() | - | - | Reachability Analysis |
|
|
| Reflection Call Detection | Scanner | Confidence scoring 0.5-0.6 for dynamic paths | - | - | Reachability Analysis |
|
|
| EWS Guardrails | Signals | Speculative cap (45), not-affected cap (15), runtime floor (60) | - | - | Scoring & Risk |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Runtime Signal Correlation | Signals | No | Yes | Add `stella signals inspect` command |
|
|
| Gate Detection | Scanner | No | Yes | Consider `stella reachability guards` command |
|
|
| Path Witness Generation | ReachGraph | Yes | No | Add witness path visualization in UI |
|
|
| Confidence Calculator | Reachability.Core | No | No | Internal implementation - consider exposing in findings |
|
|
| Evidence Weighted Score | Signals | No | Partial | Add `stella score explain` command |
|
|
| Graph Triple-Layer Storage | ReachGraph | No | No | Ops concern - consider admin commands |
|
|
|
|
---
|
|
|
|
## Batch 4: Binary Analysis
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| 4 Fingerprint Algorithm Types | BinaryIndex | `BasicBlockFingerprintGenerator.cs`, `ControlFlowGraphFingerprintGenerator.cs`, `StringRefsFingerprintGenerator.cs` | `stella binary fingerprint` | - | Binary Analysis |
|
|
| Alpine Corpus Support | BinaryIndex | `AlpineCorpusConnector.cs` | - | - | Binary Analysis |
|
|
| VEX Evidence Bridge | BinaryIndex | `IVexEvidenceGenerator.cs` | - | - | VEX Processing |
|
|
| Delta Signature Matching | BinaryIndex | `LookupByDeltaSignatureAsync()` | `stella deltasig` | - | Binary Analysis |
|
|
| Symbol Hash Matching | BinaryIndex | `LookupBySymbolHashAsync()` | `stella binary symbols` | - | Binary Analysis |
|
|
| Corpus Function Identification | BinaryIndex | `IdentifyFunctionFromCorpusAsync()` | - | - | Binary Analysis |
|
|
| Binary Call Graph Extraction | BinaryIndex | `binary callgraph` command | `stella binary callgraph` | - | Binary Analysis |
|
|
| 3-Tier Identification Strategy | BinaryIndex | Package/Build-ID/Fingerprint tiers | - | - | Binary Analysis |
|
|
| Fingerprint Validation Stats | BinaryIndex | `FingerprintValidationStats.cs` (TP/FP/TN/FN) | - | - | Binary Analysis |
|
|
| Changelog CVE Parsing | BinaryIndex | `DebianChangelogParser.cs` (CVE pattern extraction) | - | - | Binary Analysis |
|
|
| Secfixes Parsing | BinaryIndex | `ISecfixesParser.cs` (Alpine format) | - | - | Binary Analysis |
|
|
| Batch Binary Operations | BinaryIndex | All lookup methods support batching | - | - | Binary Analysis |
|
|
| Binary Match Confidence Scoring | BinaryIndex | 0.0-1.0 confidence for all matches | - | - | Binary Analysis |
|
|
| Architecture-Aware Filtering | BinaryIndex | Match filtering by architecture | - | - | Binary Analysis |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Alpine Corpus | BinaryIndex | No | No | Add to matrix as additional corpus |
|
|
| Corpus Ingestion UI | BinaryIndex | No | No | Consider admin UI for corpus management |
|
|
| VEX Evidence Bridge | BinaryIndex | No | No | Internal integration - document in VEX section |
|
|
| Fingerprint Visualization | BinaryIndex | Yes | No | Consider UI for function fingerprint display |
|
|
| Batch Operations | BinaryIndex | No | No | Internal API - consider batch CLI commands |
|
|
| Delta Signatures | BinaryIndex | Yes | No | Consider UI integration for patch detection |
|
|
|
|
---
|
|
|
|
## Batch 5: Advisory Sources
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
**CRITICAL: Matrix lists 11 sources, but codebase has 33+ connectors!**
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| **SUSE Connector** | Concelier | `Connector.Distro.Suse/` | `stella db fetch suse` | - | Advisory Sources |
|
|
| **Astra Linux Connector** | Concelier | `Connector.Astra/` (FSTEC-certified Russian) | `stella db fetch astra` | - | Advisory Sources |
|
|
| **Microsoft MSRC** | Concelier | `vndr.msrc` vendor connector | - | - | Advisory Sources |
|
|
| **Oracle Connector** | Concelier | `vndr.oracle` vendor connector | - | - | Advisory Sources |
|
|
| **Adobe Connector** | Concelier | `vndr.adobe` vendor connector | - | - | Advisory Sources |
|
|
| **Apple Connector** | Concelier | `vndr.apple` vendor connector | - | - | Advisory Sources |
|
|
| **Cisco Connector** | Concelier | `vndr.cisco` vendor connector | - | - | Advisory Sources |
|
|
| **Chromium Connector** | Concelier | `vndr.chromium` vendor connector | - | - | Advisory Sources |
|
|
| **VMware Connector** | Concelier | `vndr.vmware` vendor connector | - | - | Advisory Sources |
|
|
| **JVN (Japan) CERT** | Concelier | `Connector.Jvn/` | - | - | Advisory Sources |
|
|
| **ACSC (Australia) CERT** | Concelier | `Connector.Acsc/` | - | - | Advisory Sources |
|
|
| **CCCS (Canada) CERT** | Concelier | `Connector.Cccs/` | - | - | Advisory Sources |
|
|
| **CertFr (France) CERT** | Concelier | `Connector.CertFr/` | - | - | Advisory Sources |
|
|
| **CertBund (Germany) CERT** | Concelier | `Connector.CertBund/` | - | - | Advisory Sources |
|
|
| **CertCc CERT** | Concelier | `Connector.CertCc/` | - | - | Advisory Sources |
|
|
| **CertIn (India) CERT** | Concelier | `Connector.CertIn/` | - | - | Advisory Sources |
|
|
| **RU-BDU (Russia) CERT** | Concelier | `Connector.Ru.Bdu/` | - | - | Advisory Sources |
|
|
| **RU-NKCKI (Russia) CERT** | Concelier | `Connector.Ru.Nkcki/` | - | - | Advisory Sources |
|
|
| **KISA (South Korea) CERT** | Concelier | `Connector.Kisa/` | - | - | Advisory Sources |
|
|
| **ICS-CISA (Industrial)** | Concelier | `Connector.Ics.Cisa/` | - | - | Advisory Sources |
|
|
| **ICS-Kaspersky (Industrial)** | Concelier | `Connector.Ics.Kaspersky/` | - | - | Advisory Sources |
|
|
| **StellaOpsMirror (Internal)** | Concelier | `Connector.StellaOpsMirror/` | - | - | Advisory Sources |
|
|
| Backport-Aware Precedence | Concelier | `ConfigurableSourcePrecedenceLattice.cs` | - | - | Advisory Sources |
|
|
| Link-Not-Merge Architecture | Concelier | Transitioning from merge to observation/linkset | - | - | Advisory Sources |
|
|
| Canonical Deduplication | Concelier | `ICanonicalAdvisoryService`, `CanonicalMerger.cs` | - | - | Advisory Sources |
|
|
| Change History Tracking | Concelier | `IChangeHistoryStore` (field-level diffs) | - | - | Advisory Sources |
|
|
| Feed Epoch Events | Concelier | `FeedEpochAdvancedEvent` (Provcache invalidation) | - | - | Advisory Sources |
|
|
| JSON Exporter | Concelier | `Exporter.Json/` (manifest-driven export) | `stella db export json` | - | Offline & Air-Gap |
|
|
| Trivy DB Exporter | Concelier | `Exporter.TrivyDb/` | `stella db export trivy` | - | Offline & Air-Gap |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| **22+ Connectors Missing from Matrix** | Concelier | Partial | No | ADD TO MATRIX - major documentation gap |
|
|
| Vendor PSIRTs (7 connectors) | Concelier | No | No | Add vendor section to matrix |
|
|
| Regional CERTs (11 connectors) | Concelier | No | No | Add regional CERT section to matrix |
|
|
| Industrial/ICS (2 connectors) | Concelier | No | No | Add ICS section to matrix |
|
|
| Link-Not-Merge Transition | Concelier | No | No | Document new architecture in matrix |
|
|
| Backport Precedence | Concelier | No | No | Document in merge engine section |
|
|
| Change History | Concelier | No | No | Consider audit trail UI |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md seriously underrepresents Concelier capabilities:
|
|
- **Listed:** 11 sources
|
|
- **Actual:** 33+ connectors
|
|
|
|
Recommended additions:
|
|
1. Add "Vendor PSIRTs" section (Microsoft, Oracle, Adobe, Apple, Cisco, Chromium, VMware)
|
|
2. Add "Regional CERTs" section (JVN, ACSC, CCCS, CertFr, CertBund, CertIn, RU-BDU, KISA, etc.)
|
|
3. Add "Industrial/ICS" section (ICS-CISA, ICS-Kaspersky)
|
|
4. Add "Additional Distros" section (SUSE, Astra Linux)
|
|
5. Document backport-aware precedence configuration
|
|
|
|
---
|
|
|
|
## Batch 6: VEX Processing
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| VEX Consensus Engine (5-state lattice) | VexLens | `VexConsensusEngine.cs`, `IVexConsensusEngine.cs` | `stella vex consensus` | `/vex` | VEX Processing |
|
|
| Trust Decay Service | VexLens | `TrustDecayService.cs`, `TrustDecayCalculator.cs` | - | - | VEX Processing |
|
|
| Noise Gate Service | VexLens | `NoiseGateService.cs` | - | `/vex` | VEX Processing |
|
|
| Consensus Rationale Service | VexLens | `IConsensusRationaleService.cs`, `ConsensusRationaleModels.cs` | - | `/vex` | VEX Processing |
|
|
| VEX Linkset Extraction | Excititor | `VexLinksetExtractionService.cs` | - | - | VEX Processing |
|
|
| VEX Linkset Disagreement Detection | Excititor | `VexLinksetDisagreementService.cs` | - | `/vex` | VEX Processing |
|
|
| VEX Statement Backfill | Excititor | `VexStatementBackfillService.cs` | - | - | VEX Processing |
|
|
| VEX Evidence Chunking | Excititor | `VexEvidenceChunkService.cs` | - | - | VEX Processing |
|
|
| Auto-VEX Downgrade | Excititor | `AutoVexDowngradeService.cs` | - | - | VEX Processing |
|
|
| Risk Feed Service | Excititor | `RiskFeedService.cs`, `RiskFeedEndpoints.cs` | - | - | VEX Processing |
|
|
| Trust Calibration Service | Excititor | `TrustCalibrationService.cs` | - | - | VEX Processing |
|
|
| VEX Hashing Service (deterministic) | Excititor | `VexHashingService.cs` | - | - | VEX Processing |
|
|
| CSAF Provider Connectors (7 total) | Excititor | `Connectors.*.CSAF/` (RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE) | - | - | VEX Processing |
|
|
| OCI OpenVEX Attestation Connector | Excititor | `Connectors.OCI.OpenVEX.Attest/` | - | - | VEX Processing |
|
|
| Issuer Key Lifecycle Management | IssuerDirectory | Key create/rotate/revoke endpoints | - | `/issuer-directory` | VEX Processing |
|
|
| Issuer Trust Override | IssuerDirectory | Trust override endpoints | - | `/issuer-directory` | VEX Processing |
|
|
| CSAF Publisher Bootstrap | IssuerDirectory | `csaf-publishers.json` seeding | - | - | VEX Processing |
|
|
| VEX Webhook Distribution | VexHub | `IWebhookService.cs`, `IWebhookSubscriptionRepository.cs` | - | - | VEX Processing |
|
|
| VEX Conflict Flagging | VexHub | `IStatementFlaggingService.cs` | - | - | VEX Processing |
|
|
| VEX from Drift Generation | CLI | `VexGenCommandGroup.cs` | `stella vex gen --from-drift` | - | VEX Processing |
|
|
| VEX Decision Signing | Policy | `VexDecisionSigningService.cs` | - | - | Policy Engine |
|
|
| VEX Proof Spine | Policy | `VexProofSpineService.cs` | - | - | Policy Engine |
|
|
| Consensus Propagation Rules | VexLens | `IPropagationRuleEngine.cs` | - | - | VEX Processing |
|
|
| Consensus Delta Computation | VexLens | `VexDeltaComputeService.cs` | - | - | VEX Processing |
|
|
| Triple-Layer Consensus Storage | VexLens | Cache->DB->Archive with `IConsensusProjectionStore.cs` | - | - | Operations |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| CSAF Provider Connectors | Excititor | No | No | Consider connector status UI in ops |
|
|
| Trust Weight Configuration | VexLens | No | Partial | Add `stella vex trust configure` command |
|
|
| VEX Distribution Webhooks | VexHub | No | No | Add webhook management UI/CLI |
|
|
| Conflict Resolution | VexLens | No | Partial | Interactive conflict resolution needed |
|
|
| Issuer Key Management | IssuerDirectory | No | Yes | Add `stella issuer keys` CLI |
|
|
| Risk Feed Distribution | Excititor | No | No | Consider risk feed CLI |
|
|
| Consensus Replay/Verify | VexLens | No | No | Add `stella vex verify` command |
|
|
| VEX Evidence Export | Excititor | No | No | Add `stella vex evidence export` |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md VEX section is significantly underspecified:
|
|
- **Listed:** Basic VEX support (OpenVEX, CSAF, CycloneDX)
|
|
- **Actual:** Full consensus engine with 5-state lattice, 9 trust factors, 7 CSAF connectors, conflict detection, issuer registry
|
|
|
|
Recommended additions:
|
|
1. Add "VEX Consensus Engine" as major feature (VexLens)
|
|
2. Add "Trust Weight Scoring" with 9 factors documented
|
|
3. Add "CSAF Provider Connectors" section (7 vendors)
|
|
4. Add "Issuer Trust Registry" (IssuerDirectory)
|
|
5. Add "VEX Distribution" (VexHub webhooks)
|
|
6. Document AOC (Aggregation-Only Contract) compliance
|
|
7. Add "VEX from Drift" generation capability
|
|
|
|
---
|
|
|
|
## Batch 7: Policy Engine
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| K4 Lattice (Belnap Four-Valued Logic) | Policy | `K4Lattice.cs`, `TrustLatticeEngine.cs`, `ClaimScoreMerger.cs` | - | `/policy` | Policy Engine |
|
|
| 10+ Policy Gate Types | Policy | `PolicyGateEvaluator.cs`, various *Gate.cs files | - | `/policy` | Policy Engine |
|
|
| Uncertainty Score Calculator | Policy.Determinization | `UncertaintyScoreCalculator.cs` (entropy 0.0-1.0) | - | - | Policy Engine |
|
|
| Decayed Confidence Calculator | Policy.Determinization | `DecayedConfidenceCalculator.cs` (14-day half-life) | - | - | Policy Engine |
|
|
| 6 Evidence Types | Policy.Determinization | `BackportEvidence.cs`, `CvssEvidence.cs`, `EpssEvidence.cs`, etc. | - | - | Policy Engine |
|
|
| 6 Risk Score Providers | RiskEngine | `CvssKevProvider.cs`, `EpssProvider.cs`, `FixChainRiskProvider.cs` | - | `/risk` | Scoring & Risk |
|
|
| FixChain Risk Metrics | RiskEngine | `FixChainRiskMetrics.cs`, `FixChainRiskDisplay.cs` | - | - | Scoring & Risk |
|
|
| Exception Effect Registry | Policy | `ExceptionEffectRegistry.cs`, `ExceptionAdapter.cs` | - | `/policy/exceptions` | Policy Engine |
|
|
| Exception Approval Rules | Policy | `IExceptionApprovalRulesService.cs` | - | `/policy/exceptions` | Policy Engine |
|
|
| Policy Simulation Service | Policy.Registry | `IPolicySimulationService.cs` | `stella policy simulate` | `/policy/simulate` | Policy Engine |
|
|
| Policy Promotion Pipeline | Policy.Registry | `IPromotionService.cs`, `IPublishPipelineService.cs` | - | - | Policy Engine |
|
|
| Review Workflow Service | Policy.Registry | `IReviewWorkflowService.cs` | - | - | Policy Engine |
|
|
| Sealed Mode Service | Policy | `ISealedModeService.cs` | - | `/ops` | Offline & Air-Gap |
|
|
| Verdict Attestation Service | Policy | `IVerdictAttestationService.cs` | - | - | Attestation & Signing |
|
|
| Policy Decision Attestation | Policy | `IPolicyDecisionAttestationService.cs` (DSSE/Rekor) | - | - | Attestation & Signing |
|
|
| Score Policy YAML Config | Policy | `ScorePolicyModels.cs`, `ScorePolicyLoader.cs` | `stella policy validate` | `/policy` | Policy Engine |
|
|
| Profile-Aware Scoring | Policy.Scoring | `ProfileAwareScoringService.cs`, `ScoringProfileService.cs` | - | - | Policy Engine |
|
|
| Freshness-Aware Scoring | Policy | `FreshnessAwareScoringService.cs` | - | - | Policy Engine |
|
|
| Jurisdiction Trust Rules | Policy.Vex | `JurisdictionTrustRules.cs` | - | - | Policy Engine |
|
|
| VEX Customer Override | Policy.Vex | `VexCustomerOverride.cs` | - | - | Policy Engine |
|
|
| Attestation Report Service | Policy | `IAttestationReportService.cs` | - | - | Attestation & Signing |
|
|
| Risk Scoring Trigger Service | Policy.Scoring | `RiskScoringTriggerService.cs` | - | - | Scoring & Risk |
|
|
| Policy Lint Endpoint | Policy | `/policy/lint` | - | - | Policy Engine |
|
|
| Policy Determinism Verification | Policy | `/policy/verify-determinism` | - | - | Determinism & Reproducibility |
|
|
| AdvisoryAI Knobs Endpoint | Policy | `/policy/advisory-ai/knobs` | - | - | Policy Engine |
|
|
| Stability Damping Gate | Policy | `StabilityDampingGate.cs` | - | - | Policy Engine |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| K4 Lattice Operations | Policy | No | Partial | Add `stella policy lattice explain` for debugging |
|
|
| Risk Provider Configuration | RiskEngine | No | No | Provider configuration needs CLI/UI exposure |
|
|
| Exception Approval Workflow | Policy | No | Yes | Add `stella policy exception approve/reject` CLI |
|
|
| Determinization Signal Weights | Policy | No | No | Allow signal weight tuning via CLI/config |
|
|
| Policy Pack Promotion | Policy.Registry | No | Partial | Add `stella policy promote` CLI |
|
|
| Score Policy Tuning | Policy.Scoring | Partial | Partial | Expand `stella policy` commands |
|
|
| Verdict Attestation Export | Policy | No | No | Add `stella policy verdicts export` |
|
|
| Risk Scoring History | RiskEngine | No | Partial | Consider historical trend CLI |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md Policy section covers basics but misses advanced features:
|
|
- **Listed:** Basic policy evaluation, exceptions
|
|
- **Actual:** Full K4 lattice, 10+ gate types, 6 risk providers, determinization system
|
|
|
|
Recommended additions:
|
|
1. Add "K4 Lattice Logic" as core feature (Belnap four-valued logic)
|
|
2. Add "Policy Gate Types" section (10+ specialized gates)
|
|
3. Add "Risk Score Providers" section (6 providers with distinct purposes)
|
|
4. Add "Determinization System" (signal weights, decay, uncertainty)
|
|
5. Add "Score Policy Configuration" (YAML-based policy tuning)
|
|
6. Add "Policy Simulation" as distinct feature
|
|
7. Add "Verdict Attestations" (DSSE/Rekor integration)
|
|
8. Document "Sealed Mode" for air-gap operations
|
|
|
|
---
|
|
|
|
## Batch 8: Attestation & Signing
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| 25+ Predicate Types | Attestor | `StellaOps.Attestor.ProofChain/Predicates/` | - | - | Attestation & Signing |
|
|
| Keyless Signing (Fulcio) | Signer | `KeylessDsseSigner.cs`, `HttpFulcioClient.cs` | `stella sign keyless` | - | Attestation & Signing |
|
|
| Ephemeral Key Generation | Signer.Keyless | `EphemeralKeyGenerator.cs`, `EphemeralKeyPair.cs` | - | - | Attestation & Signing |
|
|
| OIDC Token Provider | Signer.Keyless | `IOidcTokenProvider.cs`, `AmbientOidcTokenProvider.cs` | - | - | Attestation & Signing |
|
|
| Key Rotation Service | Signer.KeyManagement | `IKeyRotationService.cs`, `KeyRotationService.cs` | `/keys/rotate` API | - | Attestation & Signing |
|
|
| Trust Anchor Manager | Signer.KeyManagement | `ITrustAnchorManager.cs`, `TrustAnchorManager.cs` | - | - | Attestation & Signing |
|
|
| Delta Attestations (4 types) | Attestor | `IDeltaAttestationService.cs` (VEX/SBOM/Verdict/Reachability) | - | - | Attestation & Signing |
|
|
| Layer Attestation Service | Attestor | `ILayerAttestationService.cs` | - | - | Attestation & Signing |
|
|
| Attestation Chain Builder | Attestor | `AttestationChainBuilder.cs`, `AttestationChainValidator.cs` | - | - | Attestation & Signing |
|
|
| Attestation Link Store | Attestor | `IAttestationLinkStore.cs`, `IAttestationLinkResolver.cs` | - | - | Attestation & Signing |
|
|
| Rekor Submission Queue | Attestor | `IRekorSubmissionQueue.cs` (durable retry) | - | - | Attestation & Signing |
|
|
| Cached Verification Service | Attestor | `CachedAttestorVerificationService.cs` | - | - | Attestation & Signing |
|
|
| Offline Bundle Service | Attestor | `IAttestorBundleService.cs` | - | `/ops/offline-kit` | Offline & Air-Gap |
|
|
| Signer Quota Service | Signer | `ISignerQuotaService.cs` | - | - | Operations |
|
|
| Signer Audit Sink | Signer | `ISignerAuditSink.cs`, `InMemorySignerAuditSink.cs` | - | - | Operations |
|
|
| Proof of Entitlement | Signer | `IProofOfEntitlementIntrospector.cs` (JWT/MTLS) | - | - | Auth & Access Control |
|
|
| Release Integrity Verifier | Signer | `IReleaseIntegrityVerifier.cs` | - | - | Attestation & Signing |
|
|
| JSON Canonicalizer (RFC 8785) | Attestor | `JsonCanonicalizer.cs` | - | - | Determinism & Reproducibility |
|
|
| Predicate Type Router | Attestor | `IPredicateTypeRouter.cs`, `PredicateTypeRouter.cs` | - | - | Attestation & Signing |
|
|
| Standard Predicate Registry | Attestor | `IStandardPredicateRegistry.cs` | - | - | Attestation & Signing |
|
|
| HMAC Signing | Signer | `HmacDsseSigner.cs` | - | - | Attestation & Signing |
|
|
| SM2 Algorithm Support | Signer | `CryptoDsseSigner.cs` (SM2 branch) | - | - | Regional Crypto |
|
|
| Promotion Attestation | Provenance | `PromotionAttestation.cs` | - | - | Release Orchestration |
|
|
| Cosign/KMS Signer | Provenance | `CosignAndKmsSigner.cs` | - | - | Attestation & Signing |
|
|
| Rotating Signer | Provenance | `RotatingSigner.cs` | - | - | Attestation & Signing |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Key Rotation | Signer | No | No | Add `stella keys rotate` CLI command |
|
|
| Trust Anchor Management | Signer | No | No | Add `stella trust-anchors` commands |
|
|
| Attestation Chain Visualization | Attestor | No | Partial | Add chain visualization UI |
|
|
| Predicate Registry Browser | Attestor | No | No | Add `stella attest predicates list` |
|
|
| Delta Attestation CLI | Attestor | No | No | Add `stella attest delta` commands |
|
|
| Signer Audit Logs | Signer | No | No | Add `stella sign audit` command |
|
|
| Rekor Submission Status | Attestor | No | No | Add submission queue status UI |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md Attestation section lists basic DSSE/in-toto support:
|
|
- **Listed:** Basic attestation attach/verify, SLSA provenance
|
|
- **Actual:** 25+ predicate types, keyless signing, key rotation, attestation chains
|
|
|
|
Recommended additions:
|
|
1. Add "Predicate Types" section (25+ types documented)
|
|
2. Add "Keyless Signing (Sigstore)" as major feature
|
|
3. Add "Key Rotation Service" for Enterprise tier
|
|
4. Add "Trust Anchor Management" for Enterprise tier
|
|
5. Add "Attestation Chains" feature
|
|
6. Add "Delta Attestations" (VEX/SBOM/Verdict/Reachability)
|
|
7. Document "Offline Bundle Service" for air-gap
|
|
8. Add "SM2 Algorithm Support" in Regional Crypto section
|
|
|
|
---
|
|
|
|
## Batch 9: Regional Crypto
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| 8 Signature Profiles | Cryptography | `SignatureProfile.cs` | - | - | Regional Crypto |
|
|
| Ed25519 Baseline Signing | Cryptography | `Ed25519Signer.cs`, `Ed25519Verifier.cs` | - | - | Regional Crypto |
|
|
| ECDSA P-256 Profile | Cryptography | `EcdsaP256Signer.cs` | - | - | Regional Crypto |
|
|
| FIPS 140-2 Plugin | Cryptography | `FipsPlugin.cs` | - | - | Regional Crypto |
|
|
| GOST R 34.10-2012 Plugin | Cryptography | `GostPlugin.cs` | - | - | Regional Crypto |
|
|
| SM2/SM3/SM4 Plugin | Cryptography | `SmPlugin.cs` | - | - | Regional Crypto |
|
|
| eIDAS Plugin (CAdES/XAdES) | Cryptography | `EidasPlugin.cs` | - | - | Regional Crypto |
|
|
| HSM Plugin (PKCS#11) | Cryptography | `HsmPlugin.cs` (simulated + production) | - | - | Regional Crypto |
|
|
| CryptoPro GOST (Windows) | Cryptography | `CryptoProGostCryptoProvider.cs` | - | - | Regional Crypto |
|
|
| Multi-Profile Signing | Cryptography | `MultiProfileSigner.cs` | - | - | Regional Crypto |
|
|
| SM Remote Service | SmRemote | `Program.cs` | - | - | Regional Crypto |
|
|
| Post-Quantum Profiles (Defined) | Cryptography | `SignatureProfile.cs` (Dilithium, Falcon) | - | - | Regional Crypto |
|
|
| RFC 3161 TSA Integration | Cryptography | `EidasPlugin.cs` | - | - | Regional Crypto |
|
|
| Simulated HSM Client | Cryptography | `SimulatedHsmClient.cs` | - | - | Regional Crypto |
|
|
| GOST Block Cipher (28147-89) | Cryptography | `GostPlugin.cs` | - | - | Regional Crypto |
|
|
| SM4 Encryption (CBC/ECB/GCM) | Cryptography | `SmPlugin.cs` | - | - | Regional Crypto |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Crypto Profile Selection | Cryptography | No | No | Add `stella crypto profiles` command |
|
|
| Plugin Health Check | Cryptography | No | No | Add plugin status endpoint |
|
|
| Key Management CLI | Cryptography | No | No | Add `stella keys` commands |
|
|
| HSM Status | Cryptography | No | No | Add HSM health monitoring |
|
|
| Post-Quantum Implementation | Cryptography | No | No | Implement Dilithium/Falcon when stable |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md Regional Crypto section mentions only FIPS/eIDAS/GOST:
|
|
- **Listed:** Basic regional compliance mentions
|
|
- **Actual:** 8 signature profiles, 6 plugins, HSM support, post-quantum readiness
|
|
|
|
Recommended additions:
|
|
1. Add "Signature Profiles" section (8 profiles documented)
|
|
2. Add "Plugin Architecture" description
|
|
3. Add "Multi-Profile Signing" capability (dual-stack signatures)
|
|
4. Add "SM Remote Service" for Chinese market
|
|
5. Add "Post-Quantum Readiness" (Dilithium, Falcon defined)
|
|
6. Add "HSM Integration" (PKCS#11 + simulation)
|
|
7. Document plugin configuration options
|
|
8. Add "CryptoPro GOST" for Windows environments
|
|
|
|
---
|
|
|
|
## Batch 10: Evidence & Findings
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| WORM Storage (S3 Object Lock) | EvidenceLocker | `S3EvidenceObjectStore.cs` | - | - | Evidence & Findings |
|
|
| Verdict Attestations (DSSE) | EvidenceLocker | `VerdictEndpoints.cs`, `VerdictContracts.cs` | - | `/evidence-export` | Evidence & Findings |
|
|
| Append-Only Ledger Events | Findings | `ILedgerEventRepository.cs`, `LedgerEventModels.cs` | - | `/findings` | Evidence & Findings |
|
|
| Alert Triage Bands (hot/warm/cold) | Findings | `DecisionModels.cs` | - | `/findings` | Evidence & Findings |
|
|
| Merkle Anchoring | Findings | `Infrastructure/Merkle/` | - | - | Evidence & Findings |
|
|
| Evidence Holds (Legal) | EvidenceLocker | `EvidenceHold.cs` | - | - | Evidence & Findings |
|
|
| Evidence Pack Service | Evidence.Pack | `IEvidencePackService.cs`, `EvidencePack.cs` | - | `/evidence-thread` | Evidence & Findings |
|
|
| Evidence Card Service | Evidence.Pack | `IEvidenceCardService.cs`, `EvidenceCard.cs` | - | - | Evidence & Findings |
|
|
| Profile-Based Export | ExportCenter | `ExportApiEndpoints.cs`, `ExportProfile` | - | `/evidence-export` | Evidence & Findings |
|
|
| Risk Bundle Export | ExportCenter | `RiskBundleEndpoints.cs` | - | `/evidence-export` | Evidence & Findings |
|
|
| Audit Bundle Export | ExportCenter | `AuditBundleEndpoints.cs` | - | - | Evidence & Findings |
|
|
| Lineage Evidence Export | ExportCenter | `LineageExportEndpoints.cs` | - | `/lineage` | Evidence & Findings |
|
|
| SSE Export Streaming | ExportCenter | Real-time run events | - | - | Evidence & Findings |
|
|
| Incident Mode | Findings | `IIncidentModeState.cs` | - | - | Evidence & Findings |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Evidence Holds | EvidenceLocker | No | No | Add legal hold management CLI |
|
|
| Audit Bundle Export | ExportCenter | No | Partial | Add `stella export audit` command |
|
|
| Incident Mode | Findings | No | No | Add `stella findings incident` commands |
|
|
|
|
---
|
|
|
|
## Batch 11: Determinism & Replay
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| Hybrid Logical Clock | HybridLogicalClock | `HybridLogicalClock.cs`, `HlcTimestamp.cs` | - | - | Determinism & Replay |
|
|
| HLC State Persistence | HybridLogicalClock | `IHlcStateStore.cs` | - | - | Determinism & Replay |
|
|
| Canonical JSON (RFC 8785) | Canonical.Json | `CanonJson.cs`, `CanonVersion.cs` | - | - | Determinism & Replay |
|
|
| Replay Manifests V1/V2 | Replay.Core | `ReplayManifest.cs` | `stella scan replay` | - | Determinism & Replay |
|
|
| Knowledge Snapshots | Replay.Core | `KnowledgeSnapshot.cs` | - | - | Determinism & Replay |
|
|
| Replay Proofs (DSSE) | Replay.Core | `ReplayProof.cs` | `stella prove` | - | Determinism & Replay |
|
|
| Evidence Weighted Scoring (6 factors) | Signals | `EvidenceWeightedScoreCalculator.cs` | - | - | Scoring & Risk |
|
|
| Score Buckets (ActNow/ScheduleNext/Investigate/Watchlist) | Signals | Scoring algorithm | - | - | Scoring & Risk |
|
|
| Attested Reduction (short-circuit) | Signals | VEX anchoring logic | - | - | Scoring & Risk |
|
|
| Timeline Events | Eventing | `TimelineEvent.cs`, `ITimelineEventEmitter.cs` | - | - | Determinism & Replay |
|
|
| Deterministic Event IDs | Eventing | `EventIdGenerator.cs` (SHA-256) | - | - | Determinism & Replay |
|
|
| Transactional Outbox | Eventing | `TimelineOutboxProcessor.cs` | - | - | Determinism & Replay |
|
|
| Event Signing (DSSE) | Eventing | `IEventSigner.cs` | - | - | Determinism & Replay |
|
|
| Replay Bundle Writer | Replay.Core | `StellaReplayBundleWriter.cs` (tar.zst) | - | - | Determinism & Replay |
|
|
| Dead Letter Replay | Orchestrator | `IReplayManager.cs`, `ReplayManager.cs` | - | - | Operations |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| HLC Inspection | HybridLogicalClock | No | No | Add `stella hlc status` command |
|
|
| Timeline Events | Eventing | No | No | Add `stella timeline query` command |
|
|
| Scoring Explanation | Signals | No | No | Add `stella score explain` command |
|
|
|
|
---
|
|
|
|
## Batch 12: Operations
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| Impact Index (Roaring bitmaps) | Scheduler | `IImpactIndex.cs` | - | - | Operations |
|
|
| Graph Build/Overlay Jobs | Scheduler | `IGraphJobService.cs` | - | `/ops/scheduler` | Operations |
|
|
| Run Preview (dry-run) | Scheduler | `RunEndpoints.cs` | - | - | Operations |
|
|
| SSE Run Streaming | Scheduler | `/runs/{runId}/stream` | - | - | Operations |
|
|
| Job Repository | Orchestrator | `IJobRepository.cs`, `Job.cs` | - | `/orchestrator` | Operations |
|
|
| Lease Management | Orchestrator | `LeaseNextAsync()`, `ExtendLeaseAsync()` | - | - | Operations |
|
|
| Dead Letter Classification | Orchestrator | `DeadLetterEntry.cs` | - | `/orchestrator` | Operations |
|
|
| First Signal Service | Orchestrator | `IFirstSignalService.cs` | - | - | Operations |
|
|
| Task Pack Execution | TaskRunner | `ITaskRunnerClient.cs` | - | - | Operations |
|
|
| Plan-Hash Binding | TaskRunner | Deterministic validation | - | - | Operations |
|
|
| Approval Gates | TaskRunner | `ApprovalDecisionRequest.cs` | - | - | Operations |
|
|
| Artifact Capture | TaskRunner | Digest tracking | - | - | Operations |
|
|
| Timeline Query Service | TimelineIndexer | `ITimelineQueryService.cs` | - | - | Operations |
|
|
| Timeline Ingestion | TimelineIndexer | `ITimelineIngestionService.cs` | - | - | Operations |
|
|
| Token-Bucket Rate Limiting | Orchestrator | Adaptive refill per tenant | - | - | Operations |
|
|
| Job Watermarks | Orchestrator | Ordering guarantees | - | - | Operations |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Impact Preview | Scheduler | No | Partial | Add `stella scheduler preview` command |
|
|
| Job Management | Orchestrator | No | Yes | Add `stella orchestrator jobs` commands |
|
|
| Dead Letter Operations | Orchestrator | No | Yes | Add `stella orchestrator deadletter` commands |
|
|
| TaskRunner CLI | TaskRunner | No | No | Add `stella taskrunner` commands |
|
|
| Timeline Query CLI | TimelineIndexer | No | No | Add `stella timeline` commands |
|
|
|
|
---
|
|
|
|
## Batch 13: Release Orchestration
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| Environment Bundles | ReleaseOrchestrator | `IEnvironmentBundleService.cs`, `EnvironmentBundle.cs` | - | `/releases` | Release Orchestration |
|
|
| Promotion Workflows | ReleaseOrchestrator | `IPromotionWorkflowService.cs`, `PromotionRequest.cs` | - | `/releases` | Release Orchestration |
|
|
| Rollback Service | ReleaseOrchestrator | `IRollbackService.cs`, `RollbackRequest.cs` | - | `/releases` | Release Orchestration |
|
|
| Deployment Agents (Docker/Compose/ECS/Nomad) | ReleaseOrchestrator | `IDeploymentAgent.cs`, various agent implementations | - | `/releases` | Release Orchestration |
|
|
| Progressive Delivery (A/B, Canary) | ReleaseOrchestrator | `IProgressiveDeliveryService.cs` | - | `/releases` | Release Orchestration |
|
|
| Hook System (Pre/Post Deploy) | ReleaseOrchestrator | `IHookExecutionService.cs`, `Hook.cs` | - | `/releases` | Release Orchestration |
|
|
| Approval Gates (Multi-Stage) | ReleaseOrchestrator | `IApprovalGateService.cs`, `ApprovalGate.cs` | - | `/releases` | Release Orchestration |
|
|
| Release Bundle Signing | ReleaseOrchestrator | `IReleaseBundleSigningService.cs` | - | - | Release Orchestration |
|
|
| Environment Promotion History | ReleaseOrchestrator | `IPromotionHistoryService.cs` | - | `/releases` | Release Orchestration |
|
|
| Deployment Lock Service | ReleaseOrchestrator | `IDeploymentLockService.cs` | - | - | Release Orchestration |
|
|
| Release Manifest Generation | ReleaseOrchestrator | `IReleaseManifestService.cs` | - | - | Release Orchestration |
|
|
| Promotion Attestations | ReleaseOrchestrator | `PromotionAttestation.cs` | - | - | Attestation & Signing |
|
|
| Environment Health Checks | ReleaseOrchestrator | `IEnvironmentHealthService.cs` | - | `/releases` | Release Orchestration |
|
|
| Deployment Verification Tests | ReleaseOrchestrator | `IVerificationTestService.cs` | - | - | Release Orchestration |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Release Bundle Creation | ReleaseOrchestrator | No | Partial | Add `stella release create` command |
|
|
| Environment Promotion | ReleaseOrchestrator | No | Yes | Add `stella release promote` command |
|
|
| Rollback Operations | ReleaseOrchestrator | No | Yes | Add `stella release rollback` command |
|
|
| Hook Management | ReleaseOrchestrator | No | Partial | Add `stella release hooks` commands |
|
|
| Deployment Agent Status | ReleaseOrchestrator | No | Partial | Add `stella agent status` command |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md Release Orchestration section is largely planned:
|
|
- **Listed:** Basic environment management concepts
|
|
- **Actual:** Full promotion workflow, deployment agents, progressive delivery
|
|
|
|
Recommended additions:
|
|
1. Add "Deployment Agents" section (Docker, Compose, ECS, Nomad)
|
|
2. Add "Progressive Delivery" (A/B, Canary strategies)
|
|
3. Add "Approval Gates" (multi-stage approvals)
|
|
4. Add "Hook System" (pre/post deployment hooks)
|
|
5. Add "Promotion Attestations" (DSSE signing of promotions)
|
|
6. Document "Environment Health Checks"
|
|
|
|
---
|
|
|
|
## Batch 14: Auth & Access Control
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| 75+ Authorization Scopes | Authority | `AuthorizationScopeConstants.cs` | - | `/admin/roles` | Auth & Access Control |
|
|
| DPoP Sender Constraints | Authority | `DPoPService.cs`, `DPoPValidator.cs` | - | - | Auth & Access Control |
|
|
| mTLS Sender Constraints | Authority | `MtlsClientCertificateValidator.cs` | - | - | Auth & Access Control |
|
|
| Device Authorization Flow | Authority | `DeviceAuthorizationEndpoints.cs` | - | `/login` | Auth & Access Control |
|
|
| JWT Profile for OAuth | Authority | `JwtBearerClientAssertionValidator.cs` | - | - | Auth & Access Control |
|
|
| PAR (Pushed Authorization Requests) | Authority | `ParEndpoints.cs` | - | - | Auth & Access Control |
|
|
| Tenant Isolation | Authority | `ITenantContext.cs`, `TenantResolutionMiddleware.cs` | - | - | Auth & Access Control |
|
|
| Role-Based Access Control | Authority | `IRoleService.cs`, `Role.cs` | - | `/admin/roles` | Auth & Access Control |
|
|
| Permission Grant Service | Authority | `IPermissionGrantService.cs` | - | - | Auth & Access Control |
|
|
| Token Introspection | Authority | `TokenIntrospectionEndpoints.cs` | - | - | Auth & Access Control |
|
|
| Token Revocation | Authority | `TokenRevocationEndpoints.cs` | - | - | Auth & Access Control |
|
|
| OAuth Client Management | Authority | `IClientRepository.cs`, `Client.cs` | - | `/admin/clients` | Auth & Access Control |
|
|
| User Federation (LDAP/SAML) | Authority | `IFederationProvider.cs` | - | `/admin/federation` | Auth & Access Control |
|
|
| Session Management | Authority | `ISessionStore.cs`, `Session.cs` | - | - | Auth & Access Control |
|
|
| Consent Management | Authority | `IConsentStore.cs`, `Consent.cs` | - | `/consent` | Auth & Access Control |
|
|
| Registry Token Service | Registry | `ITokenService.cs`, `TokenModels.cs` | `stella registry login` | - | Auth & Access Control |
|
|
| Scope-Based Token Minting | Registry | Pull/push/catalog scope handling | - | - | Auth & Access Control |
|
|
| Token Refresh Flow | Authority | Refresh token rotation | - | - | Auth & Access Control |
|
|
| Multi-Factor Authentication | Authority | `IMfaService.cs` | - | `/login/mfa` | Auth & Access Control |
|
|
| API Key Management | Authority | `IApiKeyService.cs` | - | `/admin/api-keys` | Auth & Access Control |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Scope Management | Authority | No | Yes | Add `stella auth scopes` commands |
|
|
| DPoP Configuration | Authority | No | No | Add DPoP configuration documentation |
|
|
| Client Management | Authority | No | Yes | Add `stella auth clients` commands |
|
|
| Role Management | Authority | No | Yes | Add `stella auth roles` commands |
|
|
| API Key Operations | Authority | No | Yes | Add `stella auth api-keys` commands |
|
|
| Token Introspection | Authority | No | No | Add `stella auth token inspect` command |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md Auth section covers basics but misses advanced features:
|
|
- **Listed:** Basic OAuth/OIDC, RBAC
|
|
- **Actual:** 75+ scopes, DPoP/mTLS, federation, advanced OAuth flows
|
|
|
|
Recommended additions:
|
|
1. Add "Authorization Scopes" section (75+ granular scopes)
|
|
2. Add "Sender Constraints" (DPoP, mTLS)
|
|
3. Add "Device Authorization Flow" for CLI/IoT
|
|
4. Add "User Federation" (LDAP, SAML integration)
|
|
5. Add "PAR Support" for security-conscious clients
|
|
6. Add "Multi-Factor Authentication"
|
|
7. Add "API Key Management" for service accounts
|
|
8. Document "Tenant Isolation" architecture
|
|
|
|
---
|
|
|
|
## Batch 15: Notifications & Integrations
|
|
|
|
### Discovered Features (Not in Matrix)
|
|
|
|
| Feature | Module | Key Files | CLI | UI | Suggested Category |
|
|
|---------|--------|-----------|-----|----|--------------------|
|
|
| 10 Notification Channel Types | Notify | Email, Slack, Teams, Webhook, PagerDuty, SNS, SQS, Pub/Sub, Discord, Matrix | - | `/notifications` | Notifications |
|
|
| Template-Based Notifications | Notify | `INotificationTemplateService.cs`, `NotificationTemplate.cs` | - | `/notifications` | Notifications |
|
|
| Channel Routing Rules | Notify | `IChannelRoutingService.cs`, `RoutingRule.cs` | - | `/notifications` | Notifications |
|
|
| Delivery Receipt Tracking | Notify | `IDeliveryReceiptService.cs`, `DeliveryReceipt.cs` | - | - | Notifications |
|
|
| Notification Preferences | Notify | `IPreferenceService.cs`, `UserPreference.cs` | - | `/settings` | Notifications |
|
|
| Digest/Batch Notifications | Notify | `IDigestService.cs` | - | `/notifications` | Notifications |
|
|
| Kubernetes Admission Webhooks | Zastava | `AdmissionWebhookEndpoints.cs` | - | - | Integrations |
|
|
| OCI Registry Push Hooks | Zastava | `IWebhookProcessor.cs`, `RegistryPushEvent.cs` | - | - | Integrations |
|
|
| Scan-on-Push Trigger | Zastava | Auto-trigger scanning on registry push | - | - | Integrations |
|
|
| SCM Webhooks (GitHub/GitLab/Bitbucket) | Integrations | `IScmWebhookHandler.cs` | - | `/integrations` | Integrations |
|
|
| CI/CD Webhooks | Integrations | Jenkins, CircleCI, GitHub Actions integration | - | `/integrations` | Integrations |
|
|
| Issue Tracker Integration | Integrations | Jira, GitHub Issues, Linear integration | - | `/integrations` | Integrations |
|
|
| Slack App Integration | Integrations | `ISlackAppService.cs`, slash commands | - | `/integrations` | Integrations |
|
|
| MS Teams App Integration | Integrations | `ITeamsAppService.cs`, adaptive cards | - | `/integrations` | Integrations |
|
|
| Notification Studio | Notifier | Template design and preview | - | `/notifications/studio` | Notifications |
|
|
| Escalation Rules | Notify | `IEscalationService.cs` | - | `/notifications` | Notifications |
|
|
| On-Call Schedule Integration | Notify | PagerDuty, OpsGenie integration | - | `/notifications` | Notifications |
|
|
| Webhook Retry Logic | Notify | Exponential backoff, dead letter | - | - | Notifications |
|
|
| Event-Driven Notifications | Notify | Timeline event subscription | - | - | Notifications |
|
|
| Custom Webhook Payloads | Integrations | `IWebhookPayloadFormatter.cs` | - | `/integrations` | Integrations |
|
|
|
|
### Coverage Gaps
|
|
|
|
| Feature | Module | Has CLI | Has UI | Recommendation |
|
|
|---------|--------|---------|--------|----------------|
|
|
| Channel Configuration | Notify | No | Yes | Add `stella notify channels` commands |
|
|
| Template Management | Notify | No | Yes | Add `stella notify templates` commands |
|
|
| Webhook Testing | Integrations | No | Partial | Add `stella integrations test` command |
|
|
| K8s Webhook Installation | Zastava | No | No | Add `stella zastava install` command |
|
|
| Notification Preferences | Notify | No | Yes | Add `stella notify preferences` commands |
|
|
|
|
### Matrix Update Recommendations
|
|
|
|
The FEATURE_MATRIX.md Notifications section is basic:
|
|
- **Listed:** Basic webhook/email notifications
|
|
- **Actual:** 10 channel types, template engine, routing rules, escalation
|
|
|
|
Recommended additions:
|
|
1. Add "Notification Channels" section (10 types)
|
|
2. Add "Template Engine" for customizable messages
|
|
3. Add "Channel Routing" for sophisticated delivery
|
|
4. Add "Escalation Rules" for incident response
|
|
5. Add "Notification Studio" for template design
|
|
6. Add "Kubernetes Admission Webhooks" (Zastava)
|
|
7. Add "SCM Integrations" (GitHub, GitLab, Bitbucket)
|
|
8. Add "CI/CD Integrations" (Jenkins, CircleCI, GitHub Actions)
|
|
9. Add "Issue Tracker Integration" (Jira, GitHub Issues)
|
|
10. Document "Scan-on-Push" auto-trigger
|
|
|
|
---
|
|
|
|
## Summary: Overall Matrix Gaps
|
|
|
|
### Major Documentation Gaps Identified
|
|
|
|
| Category | Matrix Coverage | Actual Coverage | Gap Severity |
|
|
|----------|-----------------|-----------------|--------------|
|
|
| Advisory Sources | 11 sources | 33+ connectors | **CRITICAL** |
|
|
| VEX Processing | Basic | Full consensus engine | **HIGH** |
|
|
| Attestation & Signing | Basic | 25+ predicates | **HIGH** |
|
|
| Auth Scopes | Basic RBAC | 75+ granular scopes | **HIGH** |
|
|
| Policy Engine | Basic | K4 lattice, 10+ gates | **MEDIUM** |
|
|
| Regional Crypto | 3 profiles | 8 profiles, 6 plugins | **MEDIUM** |
|
|
| Notifications | 2 channels | 10 channels | **MEDIUM** |
|
|
| Binary Analysis | Basic | 4 fingerprint algorithms | **MEDIUM** |
|
|
| Release Orchestration | Planned | Partially implemented | **LOW** |
|
|
|
|
### CLI/UI Coverage Statistics
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| Features with CLI | ~65% |
|
|
| Features with UI | ~70% |
|
|
| Features with both | ~55% |
|
|
| Internal-only features | ~25% |
|
|
|
|
### Recommended Next Steps
|
|
|
|
1. **Immediate**: Update Advisory Sources section (33+ connectors undocumented)
|
|
2. **High Priority**: Document VEX consensus engine capabilities
|
|
3. **High Priority**: Document attestation predicate types
|
|
4. **Medium Priority**: Update auth scopes documentation
|
|
5. **Medium Priority**: Complete policy engine documentation
|
|
6. **Low Priority**: Document internal operations features
|