stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
93872e73ec6d9418ba0f940e51ddd1997a6211b3
git.stella-ops.org/docs/modules
History
master 93872e73ec Verify supported-route live search matrix
2026-03-08 02:23:58 +02:00
..
_template
docs re-org, audit fixes, build fixes
2026-01-05 09:35:33 +02:00
advisory-ai
Harden live-backed unified search weighting and indexing
2026-03-08 02:23:43 +02:00
airgap
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
aoc
part #2
2026-02-04 19:59:20 +02:00
api
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
attestor
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
authority
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
binary-index
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
cli
Harden live-backed unified search weighting and indexing
2026-03-08 02:23:43 +02:00
concelier
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
cryptography
docs consolidation, big sln build fixes, new advisories and sprints/tasks
2026-01-05 18:37:08 +02:00
doctor
save checkpoint: save features
2026-02-12 10:27:23 +02:00
evidence-locker
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
excititor
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
export-center
Gaps fill up, fixes, ui restructuring
2026-02-19 22:10:54 +02:00
feedser
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
findings-ledger
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
graph
search and ai stabilization work, localization stablized.
2026-02-24 23:29:36 +02:00
integrations
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
issuer-directory
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
jobengine
texts fixes, search bar fixes, global menu fixes.
2026-03-05 18:15:30 +02:00
mirror
partly or unimplemented features - now implemented
2026-02-09 08:53:51 +02:00
notifier
Fix build and code structure improvements. New but essential UI functionality. CI improvements. Documentation improvements. AI module improvements.
2025-12-29 07:45:03 +02:00
notify
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
platform
Fix release health multi-scope evidence contracts
2026-03-07 05:13:36 +02:00
plugin
wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10
2026-02-23 15:30:50 +02:00
policy
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
provenance
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
reach-graph
partly or unimplemented features - now implemented
2026-02-09 08:53:51 +02:00
registry
stabilize tests
2026-02-01 21:37:40 +02:00
release-orchestrator
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
remediation
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
replay
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
router
Fix router ASP.NET request body binding
2026-03-07 04:26:54 +02:00
runtime-instrumentation
wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10
2026-02-23 15:30:50 +02:00
sbom-service
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
scanner
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
signals
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
signer
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
sm-remote
wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10
2026-02-23 15:30:50 +02:00
telemetry
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
timeline
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
tools
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
ui
Verify supported-route live search matrix
2026-03-08 02:23:58 +02:00
unknowns
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
vex-hub
docs consolidation, big sln build fixes, new advisories and sprints/tasks
2026-01-05 18:37:08 +02:00
vex-lens
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
web
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00
zastava
stabilize tests
2026-02-01 21:37:40 +02:00
README.md
consolidation of some of the modules, localization fixes, product advisories work, qa work
2026-03-05 03:54:22 +02:00

README.md

StellaOps Module Documentation Index

This directory contains architecture documentation for all StellaOps modules.

Platform Statistics

Metric Count
Source modules 63
Documented modules 79
Runnable services (Program.cs) 47
Modules with workers 19
PostgreSQL databases 30
SQL migration files ~180
Total .csproj files 1,105

Module Categories

Core Platform

Module Path Description
Authority src/Authority/ Authentication, authorization, OAuth/OIDC, DPoP. Includes IssuerDirectory (Sprint 216).
Router src/Router/ Transport-agnostic messaging (TCP/TLS/UDP/RabbitMQ/Valkey). Also contains StellaOps.Gateway.WebService for HTTP ingress and binary protocol bridging.
Platform src/Platform/ Platform architecture and Platform Service aggregation APIs

Data Ingestion

Module Path Description
Concelier src/Concelier/ Vulnerability advisory ingestion and merge engine. Includes Feedser and Excititor (Sprint 203).
VexLens src/VexLens/ VEX consensus computation across issuers
VexHub src/VexHub/ VEX distribution and exchange hub
Mirror src/Mirror/ Vulnerability feed mirror and distribution

Scanning & Analysis

Module Path Description
Scanner src/Scanner/ Container scanning with SBOM generation. Includes Cartographer (Sprint 201).
BinaryIndex src/BinaryIndex/ Binary identity extraction and fingerprinting. Includes Symbols (Sprint 202).
AdvisoryAI src/AdvisoryAI/ AI-assisted advisory analysis. Includes OpsMemory (Sprint 213).
ReachGraph src/ReachGraph/ Reachability graph service

Artifacts & Evidence

Module Path Description
Attestor src/Attestor/ in-toto/DSSE attestation generation. Includes Signer and Provenance (Sprint 204).
SbomService src/SbomService/ SBOM storage, versioning, and lineage ledger
EvidenceLocker src/EvidenceLocker/ Sealed evidence storage and export
ExportCenter src/ExportCenter/ Batch export and report generation
Provcache Library Production provenance cache shared library family

Policy & Risk

Module Path Description
Policy src/Policy/ Policy engine with K4 lattice logic
Unknowns src/Unknowns/ Unknown component tracking registry (boundary preserved, Sprint 206)
Findings src/Findings/ Centralized findings aggregation and evidence graphs. Includes RiskEngine and VulnExplorer (Sprint 207).

Release & Orchestration

Module Path Description
ReleaseOrchestrator src/ReleaseOrchestrator/ Central release control plane (active development)
JobEngine src/JobEngine/ Workflow orchestration, job scheduling, task execution, and pack registry. Includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221).
Remediation src/Remediation/ Fix template marketplace for CVE remediation

Operations & Observability

Module Path Description
Doctor src/Doctor/ Diagnostic framework for system health validation
Notify src/Notify/ Notification toolkit (Email, Slack, Teams, Webhooks). Boundary preserved with Notifier (Sprint 209).
Notifier src/Notifier/ Notifications Studio host. Boundary preserved with Notify (Sprint 209).
Timeline src/Timeline/ Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210).
Replay src/Replay/ Deterministic replay engine

Integration & Clients

Module Path Description
CLI src/Cli/ Command-line interface (Native AOT)
Zastava src/Zastava/ Container registry webhook observer
Web/UI src/Web/ Angular 21 frontend SPA
API src/Api/ OpenAPI contracts and governance
Registry src/Registry/ Container registry integration
Integrations src/Integrations/ Integration hub for external systems (SCM, CI, registries, secrets). Includes IDE extensions (VS Code, JetBrains) under __Extensions/ (Sprint 214).

Infrastructure & Libraries

Module Path Description
Cryptography src/Cryptography/ Crypto plugins (FIPS, eIDAS, GOST, SM, PQ)
SmRemote src/SmRemote/ Remote SM2/SM3/SM4 cryptographic operations
Telemetry src/Telemetry/ OpenTelemetry traces, metrics, logging
Graph src/Graph/ Call graph and reachability data structures
Signals src/Signals/ Runtime signal collection and correlation
AirGap src/AirGap/ Air-gapped deployment support
AOC src/Aoc/ Append-Only Contract enforcement
Plugin src/Plugin/ Plugin SDK, registry, sandbox, and host framework
RuntimeInstrumentation src/RuntimeInstrumentation/ Tetragon-based eBPF runtime instrumentation
Facet Library Production cross-module faceting library (Scanner + Policy)

Testing & Benchmarks

Module Path Description
Benchmark Scanner library Competitive benchmarking (accuracy comparison)
Tools src/Tools/ Developer utility tools, benchmarks, SDK generator, verifier, dev portal. Includes Bench, Verifier, Sdk, DevPortal (Sprint 212).

Cross-Cutting Concepts

Folder Purpose
Analytics Analytics capabilities (embedded in Platform)
Evidence Unified evidence model specification
Eventing Event envelope schemas and libraries
Snapshot Knowledge snapshot and replay concepts
Triage Vulnerability triage workflows
DevOps DevOps and CI/CD infrastructure
CI CI pipeline documentation
Reachability Reachability concepts (split between ReachGraph and Scanner)
SARIF Export SARIF export format (capability within ExportCenter)

Module Catalog

AdvisoryAI

  • Source: src/AdvisoryAI/
  • Docs: docs/modules/advisory-ai/
  • Type: Service
  • Database: PostgreSQL (2 SQL migrations: chat audit, knowledge search)
  • Endpoints: 7 (attestation, chat, evidence pack, knowledge search, LLM adapter, run, companion explain)

AI-powered advisory summarization and knowledge search service using LLM inference to explain vulnerability advisories, VEX evidence, and remediation guidance. Uses retrieval-augmented generation (RAG) over advisories, VEX, and platform documentation with configurable LLM backends (Claude, OpenAI, Ollama, Gemini). Includes chat audit logging, doctor-search controls, and guardrails for determinism and offline operation.

Dependencies: Concelier, VEX Lens / Excititor, Policy Engine, SBOM Service, LLM providers.

AirGap

  • Source: src/AirGap/
  • Docs: docs/modules/airgap/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 1 (AirGapEndpoints)

Air-gapped deployment controller, importer, and cryptographic time anchor enabling StellaOps operation in fully disconnected environments. Handles bundle import/export, trust verification, and sealed-mode enforcement. Time service provides cryptographic time anchors using Roughtime or RFC3161.

Dependencies: Authority, Concelier / Excititor, Signer / Attestor.

Aoc

  • Source: src/Aoc/
  • Docs: docs/modules/aoc/
  • Type: CLI / Library
  • Database: None
  • Endpoints: None

CLI tool and Roslyn analyzers enforcing the Aggregation-Only Contract (AOC) across the platform. Validates that ingestion services preserve raw upstream data without modification, maintain full provenance chains, and never merge conflicting observations.

Dependencies: None (standalone validation tool).

Api

  • Source: src/Api/
  • Docs: docs/modules/api/
  • Type: Library
  • Database: None
  • Endpoints: None

Shared API contracts, governance rules, and OpenAPI generation libraries used across all StellaOps services. Includes StellaOps.Api (core contracts), StellaOps.Api.Governance (validators), and StellaOps.Api.OpenApi (specification generation).

Dependencies: None (consumed as a library).

Attestor

  • Source: src/Attestor/
  • Docs: docs/modules/attestor/
  • Type: Service
  • Database: PostgreSQL (ProofChainDbContext, 10 SQL migrations)
  • Endpoints: 6 (verdict, predicate registry, core attestor, watchlist, and more)

Transparency-logged attestation service that submits DSSE envelopes to Rekor v2, retrieves inclusion proofs, and exposes verification APIs. Accepts DSSE only from the Signer over mTLS and enforces chain-of-trust to Stella Ops roots. Includes predicate type registry, identity watchlist, and trust verdict storage.

Dependencies: Signer, Rekor v2, Authority.

Authority

  • Source: src/Authority/
  • Docs: docs/modules/authority/
  • Type: Service
  • Database: PostgreSQL (7 SQL migrations)
  • Endpoints: 4+ (authorize, token, JWKS, discovery)

On-premises OIDC/OAuth2 identity service issuing short-lived, sender-constrained operational tokens (OpToks) with DPoP and mTLS binding. Supports RBAC scopes, multi-tenant claims with header-based tenant selection, deterministic validation, console admin endpoints, and LDAP/Standard client provisioning plugins.

Dependencies: Valkey (DPoP nonce store, token caching).

Bench (archived -- absorbed into Tools)

  • Source: src/Tools/StellaOps.Bench/
  • Docs: docs/modules/tools/
  • Type: Tool
  • Database: None
  • Endpoints: None

Performance benchmark harnesses for critical platform subsystems including Link-Not-Merge, VEX, Notify, Policy Engine, and Scanner analyzers. Absorbed into src/Tools/ as of Sprint 212.

Dependencies: None (standalone benchmarks).

BinaryIndex

  • Source: src/BinaryIndex/
  • Docs: docs/modules/binary-index/
  • Type: Service
  • Database: PostgreSQL (BinaryIndexDbContext, 5 SQL migrations)
  • Endpoints: Defined in WebService Program.cs

Vulnerable binaries database enabling detection of vulnerable code at the binary level, independent of package metadata, using fingerprint claims and delta signatures. Addresses unreliable package version strings (backports, custom builds, stripped metadata).

Dependencies: Scanner, Concelier.

Cartographer (absorbed into Scanner -- Sprint 201)

  • Source: src/Scanner/StellaOps.Scanner.Cartographer/ (moved from src/Cartographer/)
  • Docs: Historical doc archived at docs-archived/modules/cartographer/README.md; active contract is docs/modules/scanner/
  • Type: Service
  • Database: None
  • Endpoints: Defined in Scanner Program.cs

Infrastructure topology discovery and service mapping for container environments. Produces SBOM snapshots and topology graphs consumed by the Graph Indexer. Environment topology and promotion lanes are now owned by the Release Orchestrator. Consolidated into Scanner per Sprint 201.

Dependencies: Graph, Scanner.

CLI

Command-line interface for driving StellaOps workflows including scanning, policy operations, VEX/vulnerability data pulls, verification, offline kit administration, knowledge search, and migration management. Supports build-time SBOM generation via Buildx orchestration and authenticates via Authority DPoP tokens.

Dependencies: Scanner.WebService, Authority, AdvisoryAI, Policy Engine, Concelier / Excititor, Signer / Attestor, Platform.

Concelier

  • Source: src/Concelier/
  • Docs: docs/modules/concelier/
  • Type: Service
  • Database: PostgreSQL (24 SQL migrations)
  • Endpoints: 9 (advisory source, air-gap, canonical advisory, federation, feed mirror, feed snapshot, interest score, mirror, SBOM)

Advisory ingestion and Link-Not-Merge (LNM) observation pipeline producing deterministic raw observations, correlation linksets, and evidence events. Acquires authoritative vulnerability advisories from vendor PSIRTs, distros, OSS ecosystems, and CERTs, persisting them as immutable observations under AOC.

Dependencies: Policy Engine, Excititor, Graph, AirGap, Feedser.

Cryptography

Pluggable cryptographic primitives supporting regional standards (eIDAS, FIPS, GOST, SM) with algorithm-agile signing operations. Plugins include HSM integration, ECDSA, and EdDSA signing profiles. All operations are deterministic and support offline operation.

Dependencies: None (consumed as a library by Signer, Attestor, and other services).

DevPortal (archived -- absorbed into Tools)

  • Source: src/Tools/StellaOps.DevPortal.Site/
  • Docs: docs/modules/tools/
  • Type: Static Site
  • Database: None
  • Endpoints: None

Developer portal static site providing API documentation, integration guides, SDK references, and getting-started tutorials. Absorbed into src/Tools/ as of Sprint 212.

Dependencies: None (static site).

Doctor

  • Source: src/Doctor/
  • Docs: docs/modules/doctor/
  • Type: Service
  • Database: None (uses Valkey for caching)
  • Endpoints: 3 (doctor, scheduler, timestamping)

Diagnostic framework for validating system health, configuration, integration connectivity, and OCI registry compatibility. Plugin-based architecture with binary analysis, notification validation, and observability probing. Integrates with AdvisoryAI knowledge search for diagnostic assistance.

Dependencies: All platform services (health check targets), external registries, AdvisoryAI.

EvidenceLocker

  • Source: src/EvidenceLocker/
  • Docs: docs/modules/evidence-locker/
  • Type: Service
  • Database: PostgreSQL (EvidenceDbContext, 5 SQL migrations)
  • Endpoints: 4 (evidence audit, evidence thread, export, verdict)

Tamper-proof, immutable evidence storage for vulnerability scan evidence, audit logs, and compliance artifacts with cryptographic sealing. Evidence is content-addressable. Once sealed, evidence cannot be modified. Supports threads, verdicts, bundle packaging, and portable bundles for offline compliance audits.

Dependencies: Attestor, Authority, object storage.

Excititor (absorbed into Concelier -- Sprint 203)

  • Source: src/Concelier/ (moved from src/Excititor/)
  • Docs: docs/modules/excititor/ (historical reference; see docs/modules/concelier/)
  • Type: Service
  • Database: PostgreSQL (10 SQL migrations, separate ExcititorDbContext)
  • Endpoints: 11 (attestation, evidence, ingest, linkset, mirror, mirror registration, observation, policy, Rekor attestation, resolve, risk feed)

VEX ingestion and consensus pipeline converting heterogeneous VEX statements (OpenVEX, CSAF VEX, CycloneDX VEX) into immutable observations with provenance-preserving linksets. Does not decide PASS/FAIL; supplies evidence with statuses, justifications, and provenance weights. Conflicting observations are preserved unchanged. Consolidated into Concelier per Sprint 203; DbContext remains separate.

Dependencies: Policy Engine, Concelier, Attestor, Graph.

ExportCenter

  • Source: src/ExportCenter/
  • Docs: docs/modules/export-center/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 15 (profile management, export runs, distribution, status, download)

Evidence and policy overlay packaging service producing reproducible, deterministic export bundles in multiple formats (JSON, SARIF, offline kit). Enforces AOC guardrails and produces deterministic manifests with optional signing and distribution to OCI registries or object storage.

Dependencies: Findings Ledger, Policy Engine, JobEngine, Authority, Attestor, object storage.

Extensions (absorbed into Integrations -- Sprint 214)

  • Source: src/Integrations/__Extensions/ (moved from src/Extensions/)
  • Docs: See Integrations architecture
  • Type: IDE Extensions (non-.NET: TypeScript/Kotlin)
  • Database: None
  • Endpoints: None

IDE extensions for JetBrains IDEs and Visual Studio Code providing inline vulnerability information, policy status, and StellaOps workflow integration directly within the developer's editor environment. Now lives under the Integrations module.

Dependencies: Platform API, JobEngine API, Authority.

Feedser (absorbed into Concelier -- Sprint 203)

Evidence collection library for backport detection and binary fingerprinting supporting the four-tier backport proof system. Extracts patch signatures from unified diffs and binary fingerprints from compiled code. Consumed primarily by Concelier's ProofService layer. All outputs are deterministic with canonical JSON serialization. Consolidated into Concelier per Sprint 203.

Dependencies: None (consumed as a library by Concelier).

Findings

  • Source: src/Findings/
  • Docs: docs/modules/findings-ledger/
  • Type: Service
  • Database: PostgreSQL (via shared libraries)
  • Endpoints: 8 (backport, evidence graph, finding summary, reachability map, runtime timeline, runtime traces, scoring, webhook)

Centralized findings aggregation service providing backport tracking, evidence graphs, finding summaries, reachability maps, runtime timelines, scoring, and webhook notifications. Aggregates vulnerability findings from Scanner, Policy, Concelier, and Excititor into a unified query surface. Includes a LedgerReplayHarness tool for deterministic replay testing.

Dependencies: Scanner, Policy Engine, Concelier / Excititor, Attestor.

Gateway (deleted -- Sprint 200)

  • Source: (deleted) -- Gateway WebService now lives under src/Router/StellaOps.Gateway.WebService/
  • Docs: docs-archived/modules/gateway/ (historical reference)
  • Type: (deleted)
  • Database: None
  • Endpoints: None

The standalone src/Gateway/ module was deleted in Sprint 200. The canonical Gateway WebService (StellaOps.Gateway.WebService) now lives under src/Router/. The Router module owns HTTP ingress, binary protocol bridging, routing, and transport abstraction.

Dependencies: See Router.

Graph

  • Source: src/Graph/
  • Docs: docs/modules/graph/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in Graph Indexer Persistence)
  • Endpoints: 3 (graph query, analytics, overlay)

SBOM dependency graph store with a rich node/edge model covering artifacts, SBOMs, components, advisories, VEX statements, and policy versions with reachability overlays. The Graph Indexer processes events from Cartographer/SBOM Service, Concelier/Excititor, and policy runs to maintain the graph.

Dependencies: Cartographer / SBOM Service, Concelier / Excititor, Policy Engine, Scanner.

Integrations

  • Source: src/Integrations/
  • Docs: docs/modules/integrations/
  • Type: Service
  • Database: PostgreSQL (IntegrationDbContext, EF Core managed)
  • Endpoints: 2

Integration hub managing connections to external systems (SCM, CI, registries, secrets vaults) with health monitoring. Stores connection profiles, manages credential references, and monitors integration health. Plugins under __Plugins provide specific connector implementations.

Dependencies: Authority, external SCM/CI/Registry/Vault systems.

IssuerDirectory (absorbed into Authority -- Sprint 216)

  • Source: src/Authority/ (moved from src/IssuerDirectory/)
  • Docs: docs/modules/issuer-directory/ (historical reference; see docs/modules/authority/)
  • Type: Service
  • Database: PostgreSQL (1 SQL migration, separate IssuerDirectoryDbContext)
  • Endpoints: 3 (issuer, issuer key, issuer trust)

Centralized trusted VEX/CSAF publisher metadata registry enabling issuer identity resolution, key management, and trust weight assignment. Key lifecycle management validates Ed25519, X.509, and DSSE public keys with fingerprint deduplication. On startup, imports default CSAF publishers into the global tenant. Consolidated into Authority per Sprint 216; DbContext remains separate for security isolation.

Dependencies: Authority.

Mirror

  • Source: src/Mirror/
  • Docs: docs/modules/mirror/
  • Type: Library / Tool
  • Database: None
  • Endpoints: None

Vulnerability feed mirror and distribution utility for offline operation and reduced latency. Produces bundles for air-gapped distribution with cryptographic verification. Primary component is StellaOps.Mirror.Creator for assembling mirror bundles.

Dependencies: Upstream vulnerability feeds (NVD, OSV, GHSA), Concelier.

Notifier

  • Source: src/Notifier/
  • Docs: docs/modules/notifier/
  • Type: Service
  • Database: None (uses Notify's persistence layer)
  • Endpoints: 14 (escalation, fallback, incident, localization, observability, operator override, quiet hours, rule, security, simulation, storm breaker, template, throttle, notify API)

Notifications Studio host application composing the Notify toolkit libraries into a full-featured notification management service. Provides 73+ routes covering escalation policies, fallback routing, incident tracking, localization, security controls, simulation testing, storm breaking (anti-spam), and more.

Dependencies: Notify libraries, Authority, Slack/Teams/Email/Webhook channels.

Notify

  • Source: src/Notify/
  • Docs: docs/modules/notify/
  • Type: Service / Library
  • Database: PostgreSQL (2 SQL migrations)
  • Endpoints: 2 (via WebService Program.cs)

Rules-driven, tenant-aware notification engine providing event consumption, operator-defined routing, channel-specific rendering, and reliable delivery with idempotency, throttling, and digests. Foundation library consumed by the Notifier host application. Secrets for channels are referenced, not stored raw.

Dependencies: Scanner / Scheduler / Excititor / Concelier / Attestor / Zastava (event sources), Slack/Teams/Email/Webhook, Authority.

OpsMemory (consolidated into AdvisoryAI)

  • Source: src/AdvisoryAI/__Libraries/StellaOps.OpsMemory/ (library), src/AdvisoryAI/StellaOps.OpsMemory.WebService/ (service)
  • Docs: docs/modules/advisory-ai/architecture.md section 15
  • Archived docs: docs-archived/modules/opsmemory/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure, schema managed programmatically)
  • Endpoints: 1 (OpsMemoryEndpoints)

Decision ledger capturing the lifecycle of security decisions with similarity-based suggestion retrieval for organizational learning. Uses similarity vectors to suggest relevant precedents for new situations. Deterministic with fixed similarity formulas, no randomness in ranking, and multi-tenant isolation. Consolidated from standalone src/OpsMemory/ module into src/AdvisoryAI/ per Sprint 213.

Dependencies: AdvisoryAI, Authority, Findings Ledger.

JobEngine (formerly Orchestrator)

  • Source: src/JobEngine/
  • Docs: docs/modules/jobengine/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure)
  • Endpoints: 25 (approvals, audit, circuit breakers, DAG, dead letter, export jobs, first signal, health, jobs, KPIs, ledger, OpenAPI, pack registry, pack runs, quotas, governance, release control v2, release dashboard, releases, runs, scale, SLOs, sources, streams, workers)

Source and job orchestration service managing job lifecycle, rate-limit governance, DAG execution, circuit breakers, and worker coordination. Applies quotas and rate limits per tenant/jobType, manages leasing to workers, handles completion tracking with retry policies, and supports replay. SDK bridges exist for Go and Python workers. Renamed from Orchestrator (Sprint 221). Now includes Scheduler, TaskRunner, and PacksRegistry (Sprint 208).

Dependencies: Concelier / Excititor / ExportCenter / Policy (job producers), Valkey or NATS, Authority.

PacksRegistry (absorbed into JobEngine -- Sprint 208)

  • Source: src/JobEngine/ (moved from src/PacksRegistry/)
  • Docs: docs/modules/packs-registry/ (historical reference; see docs/modules/jobengine/)
  • Type: Service
  • Database: PostgreSQL (PacksRegistryDbContext, EF Core managed, stub)
  • Endpoints: Defined in JobEngine Program.cs

Centralized registry for distributable task packs, policy packs, and analyzer bundles with versioned management and integrity verification. All packs are content-addressed. Consolidated into JobEngine per Sprint 208.

Dependencies: JobEngine, object storage, Authority.

Platform

  • Source: src/Platform/
  • Docs: docs/modules/platform/
  • Type: Service
  • Database: PostgreSQL (57 SQL migrations, stellaops shared database)
  • Endpoints: 45+ (analytics, context, environment settings, evidence thread, federation telemetry, function map, integration read model, legacy alias, pack adapter, platform, policy interop, release control, release read model, score, security read model, topology read model, trust signing, and more)

Central platform service providing analytics, context management, environment settings, evidence threading, federation telemetry, function maps, integration health, release control, scoring, security, and topology read models. Largest module by migration count. Owns the migration consolidation framework (MigrationModuleRegistry, MigrationModulePluginDiscovery, MigrationModuleConsolidation).

Dependencies: Authority, all modules (migration coordination), PostgreSQL.

Plugin

  • Source: src/Plugin/
  • Docs: docs/modules/plugin/
  • Type: Library / Framework
  • Database: PostgreSQL (Plugin Registry, 1 SQL migration)
  • Endpoints: None

Plugin SDK, registry, sandbox, and host framework enabling extensibility across the platform. Includes Abstractions (contracts), Sdk (development SDK), Host (lifecycle management), Registry (PostgreSQL persistence), Sandbox (isolated execution), Cli (management tool), Testing (test harness), and Samples.

Dependencies: None (framework consumed by other modules).

Policy

  • Source: src/Policy/
  • Docs: docs/modules/policy/
  • Type: Service (Engine + Gateway)
  • Database: PostgreSQL (5 SQL migrations plus demo seed)
  • Endpoints: 59 (49 Engine + 10 Gateway)

Deterministic policy evaluation engine and gateway service compiling stella-dsl policy packs into verdicts by joining SBOM inventory, advisories, and VEX evidence. The Engine provides extensive coverage across advisory AI knobs, attestation reports, batch evaluation, budgets, conflicts, CVSS receipts, determinization, effective policy, merge previews, risk profiles/simulations, sealed mode, verification policy, and violation tracking. The Gateway handles admission decisions, deltas, exception approvals, gates, governance, and registry webhooks.

Dependencies: Concelier, Excititor, SBOM Service, Scanner, Authority, Scheduler.

Provenance (absorbed into Attestor -- Sprint 204)

Provenance attestation library and CLI tool for generating and verifying supply-chain provenance records. Creates in-toto attestation statements linking build artifacts to source materials, build systems, and parameters. A separate provenance cache library exists at src/__Libraries/StellaOps.Provcache.Postgres/. Consolidated into Attestor per Sprint 204.

Dependencies: Attestor.

ReachGraph

  • Source: src/ReachGraph/
  • Docs: docs/modules/reach-graph/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in shared library)
  • Endpoints: Defined in Program.cs

Unified reachability subgraph store providing fast, deterministic, audit-ready answers about why a dependency is reachable. Consolidates reachability data from Scanner (call graphs), Signals (runtime observations), and Attestor (PoE JSON) into content-addressed artifacts with edge-level explainability.

Dependencies: Scanner, Signals, Attestor.

Registry

  • Source: src/Registry/
  • Docs: docs/modules/registry/
  • Type: Service
  • Database: None (stateless)
  • Endpoints: 2 (token issuance)

Docker registry bearer token service issuing short-lived tokens for private or mirrored registries with license/plan enforcement. Validates caller identity using Authority-issued tokens, authorizes requested registry scopes against a configured plan catalogue, and mints Docker-registry-compatible JWTs.

Dependencies: Authority.

ReleaseOrchestrator

  • Source: src/ReleaseOrchestrator/
  • Docs: docs/modules/release-jobengine/
  • Type: Service (Active Development)
  • Database: PostgreSQL (planned, via Platform migrations)
  • Endpoints: 1

Central release control plane for non-Kubernetes container estates governing promotion across environments (Dev, Stage, Prod), enforcing security and policy gates, and producing verifiable evidence. Contains API, agents, apps, and libraries sub-directories with 140K+ lines of production code. Owns environment topology and promotion lanes.

Dependencies: Platform, Policy Engine, Scanner, Authority.

Remediation

Developer-facing signed-PR remediation marketplace enabling discovery, application, and verification of community-contributed fix templates for known CVEs. Templates include unified diff content, version range applicability, and trust scores. Tracks PR submission lifecycle with attestation evidence.

Dependencies: Scanner, Signer / Attestor, Authority.

Replay

  • Source: src/Replay/
  • Docs: docs/modules/replay/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure)
  • Endpoints: 2 (point-in-time query, verdict replay)

Deterministic replay engine ensuring vulnerability assessments can be reproduced byte-for-byte given the same inputs. Manages replay tokens (cryptographically bound to input digests), manifests, feed snapshots, and verification workflows. Stores content-addressed references, not actual data.

Dependencies: Policy Engine, Scanner, Concelier / Excititor.

RiskEngine

  • Source: src/Findings/StellaOps.RiskEngine.* (consolidated into Findings, Sprint 207)
  • Docs: docs-archived/modules/risk-engine/
  • Type: Service
  • Database: PostgreSQL (via shared infrastructure)
  • Endpoints: 1 (exploit maturity)

Risk scoring runtime computing deterministic, explainable risk scores by aggregating signals from EPSS, CVSS, KEV, VEX, and reachability data. Produces audit trails and explainability payloads for every scoring decision. Does not make PASS/FAIL decisions; provides scores to the Policy Engine. Supports offline operation via factor bundles.

Dependencies: Concelier, Excititor, Signals, Policy Engine.

Router

  • Source: src/Router/
  • Docs: docs/modules/router/
  • Type: Service / Framework
  • Database: None
  • Endpoints: 4

Internal service transport using binary protocol (TCP/TLS/UDP) for microservice-to-gateway communication with pluggable transports. Includes a unified plugin, shared libraries, and example microservices. The StellaOps.Gateway.WebService under Router serves as both the HTTP ingress gateway and binary protocol bridge (the standalone src/Gateway/ was deleted in Sprint 200).

Dependencies: Authority, all microservices, Valkey.

RuntimeInstrumentation

Tetragon-based runtime instrumentation library for eBPF-based process and syscall monitoring. Provides integration with Cilium Tetragon enabling observation of actual process execution, file access, and network activity at the kernel level for runtime evidence collection.

Dependencies: Tetragon (eBPF runtime), Zastava / Signals (evidence consumers).

SbomService

  • Source: src/SbomService/
  • Docs: docs/modules/sbom-service/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in Lineage persistence)
  • Endpoints: 5

Canonical SBOM projection, lookup, and timeline API serving deterministic, tenant-scoped SBOM data. Does not perform scanning; consumes Scanner outputs or supplied SPDX/CycloneDX blobs. SBOMs are append-only with mutations via new versions only. Owns the SBOM lineage ledger for versioned uploads, diffs, and retention pruning.

Dependencies: Scanner, Graph, AdvisoryAI, Policy Engine.

Scanner

  • Source: src/Scanner/
  • Docs: docs/modules/scanner/
  • Type: Service
  • Database: PostgreSQL (36 SQL migrations, multiple DbContexts including TriageDbContext)
  • Endpoints: 77 (EPSS, observability, reachability evidence, replay, score replay, unknowns, scan, and 71 more)

Deterministic SBOM generation and vulnerability scanning engine for container images and filesystems with three-way diffs, per-layer caching, and attestation hand-off. Emits Inventory and Usage views. Does not produce PASS/FAIL verdicts. Second-highest migration count covering scans, findings, call graphs, EPSS, smart diffs, unknowns, reachability, binary evidence, secret detection, runtime observations, and score history.

Dependencies: Signer, Attestor, Authority, object storage / RustFS, SBOM Service, Concelier / Excititor.

Scheduler (absorbed into JobEngine -- Sprint 208)

  • Source: src/JobEngine/ (moved from src/Scheduler/)
  • Docs: docs/modules/scheduler/ (historical reference; see docs/modules/jobengine/)
  • Type: Service
  • Database: PostgreSQL (11 SQL migrations, separate SchedulerDbContext)
  • Endpoints: 8 (event webhook, failure signature, graph job, policy run, policy simulation, run, schedule, resolver job)

Re-evaluation scheduler keeping scan results current by pinpointing affected images when new advisories or VEX claims arrive. Default mode is analysis-only (no image pull). Includes event webhooks, failure signature tracking, graph jobs, policy runs/simulations, and vulnerability resolver jobs. Consolidated into JobEngine per Sprint 208; DbContext remains separate.

Dependencies: Scanner.WebService, Policy Engine, Concelier / Excititor, Notify, JobEngine.

Sdk (archived -- absorbed into Tools)

  • Source: src/Tools/StellaOps.Sdk.Generator/, src/Tools/StellaOps.Sdk.Release/
  • Docs: docs/modules/tools/
  • Type: Library / Code Generator
  • Database: None
  • Endpoints: None

Client SDK generator and release SDK for producing typed API clients across multiple languages from OpenAPI specifications. Absorbed into src/Tools/ as of Sprint 212.

Dependencies: Gateway / OpenAPI specs.

Signals

  • Source: src/Signals/
  • Docs: docs/modules/signals/
  • Type: Service
  • Database: PostgreSQL (6 SQL migrations)
  • Endpoints: 1 (SCM webhook)

Unified evidence-weighted scoring system aggregating reachability, runtime observations, backport detection, exploit intelligence, source trust, and mitigations into a single 0-100 score. Maintains determinism, provides score decomposition with explanations, and supports SCM webhook integration for change-triggered re-scoring.

Dependencies: Scanner, Concelier / Excititor, RuntimeInstrumentation, Policy Engine.

Signer (absorbed into Attestor -- Sprint 204)

  • Source: src/Attestor/ (moved from src/Signer/)
  • Docs: docs/modules/signer/ (historical reference; see docs/modules/attestor/)
  • Type: Service
  • Database: PostgreSQL (KeyManagementDbContext, 2 SQL migrations, separate DbContext)
  • Endpoints: 3 (ceremony, key rotation, signer)

The only service permitted to produce Stella Ops-verified DSSE signatures over SBOMs and reports, enforcing entitlement (PoE), sender-constrained auth, and supply-chain integrity. Does not push to Rekor (Attestor does). Stateless for the hot path with keys in KMS/HSM or ephemeral (keyless mode). Supports multi-algorithm signing (ECDSA, EdDSA, eIDAS, FIPS, GOST, SM). Consolidated into Attestor per Sprint 204; DbContext remains separate for security isolation.

Dependencies: Authority, Cryptography library, KMS/HSM.

SmRemote

  • Source: src/SmRemote/
  • Docs: docs/modules/sm-remote/
  • Type: Service
  • Database: None
  • Endpoints: Defined in Program.cs

Remote service for Chinese SM2/SM3/SM4 cryptographic operations enabling sovereign crypto compliance. Allows deployments requiring SM compliance to offload operations to a dedicated service rather than requiring SM crypto libraries on every host.

Dependencies: Cryptography Plugin.Sm.

Symbols (absorbed into BinaryIndex -- Sprint 202)

  • Source: src/BinaryIndex/StellaOps.Symbols.* (moved from src/Symbols/)
  • Docs: docs/modules/binary-index/architecture.md (Symbols section)
  • Type: Service
  • Database: None (content-addressed storage)
  • Endpoints: 1 (symbol source)

Symbol resolution and debug information management service for native binary analysis. Maps symbols to packages, manages debug information, and supports stripped binary analysis. Includes marketplace architecture for community-contributed symbol sources and offline symbol stores. Consolidated into BinaryIndex per Sprint 202.

Dependencies: Scanner, BinaryIndex.

TaskRunner (absorbed into JobEngine -- Sprint 208)

  • Source: src/JobEngine/ (moved from src/TaskRunner/)
  • Docs: docs/modules/taskrunner/ (historical reference; see docs/modules/jobengine/)
  • Type: Service
  • Database: PostgreSQL (via infrastructure layer, stub DbContext)
  • Endpoints: Defined in JobEngine Program.cs

Deterministic task pack execution engine with approvals, sealed-mode enforcement, evidence capture, and DSSE attestation for every completed run. Three-phase execution: Plan (build execution graph), optional Simulation (dry-run with gates), and Execution (verify plan hash, execute steps, stream logs). Operates offline/air-gapped. Consolidated into JobEngine per Sprint 208.

Dependencies: JobEngine, Authority, Attestor, object storage.

Telemetry

Observability library providing OpenTelemetry-based metrics, traces, and logs with Roslyn analyzers ensuring telemetry best practices. Supports multiple pipeline profiles (default, forensic, airgap) with allow-listed exporters for sovereign readiness. Forensic archives produce signed bundles of raw OTLP records.

Dependencies: Prometheus, Tempo/Jaeger, Loki.

Timeline

  • Source: src/Timeline/
  • Docs: docs/modules/timeline/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration in Timeline.Core)
  • Endpoints: 3 (export, replay, timeline)

Timeline query service providing export, replay, and timeline browsing endpoints for vulnerability history and event streams. Uses shared libraries from StellaOps.Eventing for event envelope schemas and StellaOps.Timeline.Core for core logic including critical path view.

Dependencies: All services (event sources). TimelineIndexer is now consolidated into the Timeline module (src/Timeline/).

Tools

Developer utility tools including FixtureUpdater, GoldenPairs generator, LanguageAnalyzerSmoke, NotifySmokeCheck, PolicyDslValidator, PolicySchemaExporter, PolicySimulationSmoke, RustFsMigrator, WorkflowGenerator, and a Python CERT-Bund offline snapshot tool.

Dependencies: Various (tool-specific).

Unknowns

  • Source: src/Unknowns/
  • Docs: docs/modules/unknowns/
  • Type: Service
  • Database: PostgreSQL (UnknownsDbContext, 4 SQL migrations)
  • Endpoints: 2 (grey queue, unknowns)

Structured registry for tracking unresolved components, symbols, and incomplete mappings that Scanner and other analyzers cannot definitively identify. Includes a Grey Queue for lifecycle management (queueing, triage, resolution). Does not guess identities; records what cannot be determined.

Dependencies: Scanner, Signals.

Verifier (archived -- absorbed into Tools)

  • Source: src/Tools/StellaOps.Verifier/
  • Docs: docs/modules/tools/
  • Type: CLI Tool
  • Database: None
  • Endpoints: None

Standalone CLI tool for verifying the integrity and authenticity of signed evidence bundles produced by the platform. Absorbed into src/Tools/ as of Sprint 212.

Dependencies: None (standalone verification).

VexHub

  • Source: src/VexHub/
  • Docs: docs/modules/vex-hub/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 1 (VexHubEndpointExtensions)

VEX document hub providing centralized management, distribution, and integration of VEX statements across the platform. Stores VEX statements from various sources and distributes data to Excititor for processing.

Dependencies: Excititor, IssuerDirectory, Authority.

VexLens

  • Source: src/VexLens/
  • Docs: docs/modules/vex-lens/
  • Type: Service
  • Database: PostgreSQL (1 SQL migration)
  • Endpoints: 2 (export, VexLens)

VEX consensus viewer and analysis service providing issuer-aware VEX statement evaluation with export capabilities. Evaluates VEX statements from multiple issuers, computes consensus views considering trust weights and provenance, and integrates with IssuerDirectory for owner manifest resolution.

Dependencies: Excititor, IssuerDirectory, Policy Engine.

VulnExplorer

  • Source: src/Findings/StellaOps.VulnExplorer.* (consolidated into Findings, Sprint 207)
  • Docs: docs-archived/modules/vuln-explorer/
  • Type: Service
  • Database: None (reads from other modules' databases)
  • Endpoints: Defined in Program.cs

Vulnerability exploration API providing rich querying, filtering, and analysis of vulnerability findings across the platform. Aggregates data from Scanner, Concelier, Excititor, Policy, and Signals to present a unified vulnerability view with concept-based navigation and evidence links.

Dependencies: Scanner, Concelier, Excititor, Policy Engine, Signals, Findings Ledger.

Web

  • Source: src/Web/
  • Docs: docs/modules/ui/
  • Type: UI (Angular SPA)
  • Database: None
  • Endpoints: None

Angular single-page application providing the operator console with vulnerability dashboard, release management, policy studio, evidence browser, SBOM exploration, notification management, and administrative controls. Includes search client APIs for knowledge search integration, smart diff visualization, AI UX patterns, and competitive triage workflows.

Dependencies: Gateway (API proxy), all backend APIs.

Zastava

  • Source: src/Zastava/
  • Docs: docs/modules/zastava/
  • Type: Service (three processes: Agent, Observer, Webhook)
  • Database: None (stateless agents)
  • Endpoints: Webhook endpoints, agent APIs defined in Program.cs

Runtime inspector and enforcer watching real workloads, detecting drift from scanned baselines, verifying image/SBOM/attestation posture, and optionally admitting/blocking deployments. Observer inventories containers and verifies signatures; Admission (optional Kubernetes webhook) enforces minimal posture pre-flight. On non-Kubernetes Docker hosts, runs as a host service with observer-only features.

Dependencies: Scanner.WebService, Policy Engine, Signals, Attestor, Authority.

Documentation Standards

Each module folder should contain:

File Purpose
README.md Quick overview, purpose, components
architecture.md Detailed architecture specification
AGENTS.md (Optional) Claude Code agent guidance
operations/ (Optional) Operational runbooks

See the Documentation Template Standard for the full architecture.md template.