Roadmap

This repository is the source of truth for StellaOps direction. The roadmap is expressed as stable, evidence-based capability milestones (not calendar promises) so it stays correct during long audits and offline operation.

How to read this

Now / Next / Later are priority bands, not dates.
A capability is "done" when the required evidence exists and is reproducible (see docs/roadmap/maturity-model.md).

Now (Foundation)

Deterministic scan pipeline: image -> SBOMs (SPDX 3.0.1 + CycloneDX 1.6) with stable identifiers and replayable outputs.
Advisory ingestion with offline-friendly mirrors, normalization, and deterministic merges.
VEX-first triage: OpenVEX ingestion/consensus with explainable, stable verdicts.
Policy gates: deterministic policy evaluation (OPA/Rego where applicable) with audit-friendly decision traces.
Offline Kit workflows (bundle -> import -> verify) with signed artifacts and deterministic indexes.

Next (Hardening)

Multi-tenant isolation (tenancy boundaries + RLS where applicable) and an audit trail built for replay.
Signing and provenance hardening: DSSE/in-toto everywhere; configurable crypto profiles (FIPS/GOST/SM) where enabled.
Determinism gates and replay tests in CI to prevent output drift across time and environments.

Later (Ecosystem)

Wider connector/plugin ecosystem, operator tooling, and SDKs.
Expanded graph/reachability capabilities and export/pack formats for regulated environments.

Detailed breakdown

docs/roadmap/README.md
docs/roadmap/maturity-model.md

docs/03_VISION.md
docs/04_FEATURE_MATRIX.md
docs/40_ARCHITECTURE_OVERVIEW.md
docs/24_OFFLINE_KIT.md
docs/key-features.md

1.7 KiB Executable File Raw Blame History