9.8 KiB
Key Features — Capability Cards
Core Thesis: Stella Ops Suite isn't a scanner or a deployment tool—it's a release control plane that produces attestable decisions that can be replayed. Security is a gate, not a blocker. Evidence survives auditors, regulators, and supply-chain propagation.
Looking for the complete feature catalog? See
full-features-list.mdfor the comprehensive list, orFEATURE_MATRIX.mdfor tier-by-tier availability.
At a Glance
| What Competitors Do | What Stella Ops Suite Does |
|---|---|
| CI/CD runs pipelines | Central release authority across environments |
| Deployment tools promote | Promotion with integrated security gates |
| Scanners output findings | Security gates output decisions with proof chains |
| VEX as suppression file | VEX as logical claim system (K4 lattice) |
| Release identity via tags | Release identity via immutable digests |
| Per-seat/per-project pricing | Pay for environments + new digests/day |
| Online-first | Offline-first with full parity |
Release Orchestration (Planned)
0. Release Control Plane
The new core capability. Stella Ops Suite becomes the central release authority between CI and runtime targets.
| Capability | What It Does |
|---|---|
| Environment management | Define Dev/Stage/Prod with freeze windows and approval policies |
| Release bundles | Compose releases from component OCI digests with semantic versioning |
| Promotion workflows | DAG-based workflow engine with approvals, gates, and hooks |
| Security gates | Scan on build, evaluate on release, re-evaluate on CVE updates |
| Deployment execution | Deploy to Docker/Compose/ECS/Nomad via agents or agentless |
| Evidence packets | Every release decision is cryptographically signed and stored |
Why it matters: Non-Kubernetes container teams finally get a central release authority with audit-grade evidence—without replacing their existing CI/SCM/registry stack.
1. Digest-First Release Identity
Tags are mutable; digests are truth. A release is an immutable set of OCI digests, resolved at release creation time.
Release: myapp-v2.3.1
Components:
api: sha256:abc123...
worker: sha256:def456...
frontend: sha256:789ghi...
What this enables:
- Tamper detection at pull time (digest mismatch = deployment failure)
- Audit trail of exactly what was deployed
- Rollback to known-good digests, not "latest" tags
- "What is deployed where" tracking with integrity
Modules (planned): ReleaseManager, ComponentRegistry, VersionManager
2. Promotion Workflows with Security Gates
Security integrated into release flow, not bolted on. Promotion requests trigger gate evaluation before deployment.
| Gate Type | What It Checks |
|---|---|
| Security gate | Reachable critical/high vulnerabilities |
| Approval gate | Required approval count, separation of duties |
| Freeze window gate | Environment freeze windows |
| Policy gate | Custom OPA/Rego policies |
| Previous environment gate | Release deployed to prior environment |
Decision records include:
- All gate results with pass/fail reasons
- Evidence refs (scan verdicts, approval records)
- Policy hash + inputs hash for replay
- "Why blocked?" explainability
Modules (planned): PromotionManager, ApprovalGateway, DecisionEngine
3. Deployment Execution
Deploy to non-Kubernetes targets as first-class citizens. Agent-based or agentless deployment to Docker hosts, Compose, ECS, Nomad.
| Target Type | Deployment Method |
|---|---|
| Docker host | Agent pulls and starts containers |
| Compose host | Agent writes compose.stella.lock.yml and runs docker-compose up |
| ECS service | Agent updates task definition and service |
| Nomad job | Agent updates job spec and submits |
| SSH remote | Agentless via SSH (Linux) |
| WinRM remote | Agentless via WinRM (Windows) |
Generated artifacts:
compose.stella.lock.yml: Pinned digests, resolved environment refsstella.version.json: Version sticker on target for drift detectionrelease.evidence.json: Decision record
Modules (planned): DeployOrchestrator, Agent.*, ArtifactGenerator
4. Progressive Delivery
A/B releases and canary deployments. Gradual rollout with automatic rollback on health failure.
| Strategy | Description |
|---|---|
| Immediate | 0% → 100% instantly |
| Canary | 10% → 25% → 50% → 100% with health checks |
| Blue-green | Deploy to B, switch traffic, retire A |
| Rolling | 10% at a time with health checks |
Traffic routing plugins: Nginx, HAProxy, Traefik, AWS ALB
Modules (planned): ABManager, TrafficRouter, CanaryController
5. Plugin System (Three-Surface Model)
Extensible without core code changes. Plugins contribute through three surfaces.
| Surface | What It Does |
|---|---|
| Manifest | Declares what the plugin provides (integrations, steps, agents) |
| Connector runtime | gRPC interface for runtime operations |
| Step provider | Execution characteristics for workflow steps |
Plugin types:
- Integration connectors: SCM (GitHub, GitLab), CI (Actions, Jenkins), Registry (Harbor, ECR), Vault (HashiCorp, AWS Secrets)
- Step providers: Custom workflow steps
- Agent types: New deployment targets
- Gate providers: Custom gate evaluations
Modules (planned): PluginRegistry, PluginLoader, PluginSandbox, PluginSDK
Security Capabilities (Operational)
6. Decision Capsules — Audit-Grade Evidence Bundles
Every scan and release decision is sealed. A Decision Capsule is a content-addressed bundle containing everything needed to reproduce and verify the decision.
| Component | What's Included |
|---|---|
| Inputs | Exact SBOM, frozen feed snapshots (with Merkle roots), policy version |
| Evidence | Reachability proofs (static + runtime), VEX statements, binary fingerprints |
| Outputs | Verdicts, risk scores, remediation paths |
| Signatures | DSSE envelopes over all of the above |
Why it matters: Auditors can replay any decision bit-for-bit. This is what "audit-grade assurance" actually means.
Modules: EvidenceLocker, Attestor, Replay
7. Lattice Policy + OpenVEX (K4 Logic)
VEX as a logical claim system, not a suppression file. The policy engine uses Belnap K4 four-valued logic.
| State | Meaning |
|---|---|
| Unknown (bottom) | No information |
| True | Positive assertion |
| False | Negative assertion |
| Conflict (top) | Contradictory assertions |
Why it matters: When vendor says "not_affected" but runtime shows the function was called, you have a conflict—not a false positive.
Modules: VexLens, TrustLatticeEngine, Policy
8. Signed Reachability Proofs
Proof of exploitability, not just a badge. Every reachability graph is sealed with DSSE.
| Layer | What It Proves |
|---|---|
| Static | Call graph shows path from entrypoint → vulnerable function |
| Binary | Compiled binary contains the symbol |
| Runtime | Process actually executed the code path |
Why it matters: "Here's the exact call path" vs "potentially reachable." Signed, not claimed.
Modules: ReachGraph, PathWitnessBuilder
9. Deterministic Replay
The audit-grade guarantee. Every scan produces a DSSE + SRM bundle that can be replayed.
# Six months later, prove what you knew
stella replay srm.yaml --assert-digest sha256:abc123...
# Output: PASS - identical result
What's frozen: Feed snapshots, analyzer versions, policy rules, random seeds.
Modules: Replay, Scanner, Policy
10. Sovereign Crypto Profiles
Regional compliance without code changes. FIPS, eIDAS, GOST, SM, and PQC profiles are configuration toggles.
| Profile | Use Case |
|---|---|
| FIPS-140-3 | US federal |
| eIDAS | EU qualified signatures |
| GOST-2012 | Russian Federation |
| SM2 | People's Republic of China |
| PQC | Post-quantum readiness |
Modules: Cryptography, CryptoProfile
11. Offline Operations (Air-Gap Parity)
Full functionality without network. Offline Update Kits bundle everything needed.
| Component | Offline Method |
|---|---|
| Feed updates | Sealed bundle with Merkle roots |
| Crypto verification | Embedded revocation lists |
| Transparency logging | Local transparency mirror |
Modules: AirGap.Controller, TrustStore
Competitive Moats Summary
Six capabilities no competitor offers together:
| # | Capability | Category |
|---|---|---|
| 1 | Non-Kubernetes Specialization | Release orchestration |
| 2 | Digest-First Release Identity | Release orchestration |
| 3 | Security Gates in Promotion Flow | Release orchestration |
| 4 | Signed Reachability Proofs | Security |
| 5 | Deterministic Replay | Security |
| 6 | Sovereign + Offline Operation | Operations |
Pricing moat: No per-seat, per-project, or per-deployment tax. Limits are environments + new digests/day.
Quick Reference
Key Documents
- Product Vision:
docs/product/VISION.md - Architecture Overview:
docs/ARCHITECTURE_OVERVIEW.md - Release Orchestrator Architecture:
docs/modules/release-orchestrator/architecture.md - Competitive Landscape:
docs/product/competitive-landscape.md - Quickstart:
docs/quickstart.md - Feature Matrix:
docs/FEATURE_MATRIX.md