stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b444284be530f1bc9c91321cbf230684fe338e57
git.stella-ops.org/docs2/product/overview.md
master fcb5ffe25d feat(scanner): Complete PoE implementation with Windows compatibility fix 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 14:52:08 +02:00

2.5 KiB
Raw Blame History

Product overview

Problem and promise

StellaOps is a deterministic, evidence-linked container security platform that works the same online or fully air-gapped. It focuses on reproducible decisions, explainable evidence, and offline-first operations rather than opaque SaaS judgments.

Core capabilities

  1. Decision Capsules
  • Every decision is packaged as a content-addressed bundle with the exact SBOM, feed snapshots, reachability evidence, policy version, derived VEX, and signatures.
  1. Deterministic replay
  • Scans are reproducible using pinned inputs and snapshots. The same inputs yield the same outputs.
  1. Evidence-linked policy (lattice VEX)
  • Policy decisions merge SBOM, advisories, VEX, and waivers through deterministic logic with explicit Unknown handling and explainable traces.
  1. Hybrid reachability
  • Static call graphs and runtime traces are combined; the resulting reachability evidence is attestable and replayable.
  1. Sovereign and offline operation
  • Offline kits, mirrored feeds, and bring-your-own trust roots enable regulated or air-gapped use.

Capability clusters (what ships)

  • SBOM-first scanning with delta reuse and inventory vs usage views
  • Explainable policy and VEX-first decisioning with unknowns surfaced
  • Attestation and transparency via DSSE and optional Rekor
  • Offline operations with signed kits and local verification
  • Governance and observability with audit trails and quotas

Standards and interoperability

  • SBOM: CycloneDX 1.7 (CycloneDX 1.6 accepted for ingest), SPDX 3.0.1 for relationships
  • VEX: OpenVEX and CSAF VEX, CycloneDX VEX where applicable
  • Attestations: in-toto statements in DSSE envelopes
  • Transparency: Rekor (optional, mirror supported)
  • Findings interchange: SARIF optional for tooling compatibility

Target users

  • Security engineering: explainable, replayable decisions with verifiable evidence
  • Platform and SRE: deterministic scanning that works offline
  • Compliance and audit: signed evidence bundles and traceable policy decisions

Non-goals

  • Not a new package manager
  • Not a hosted-only scanner or closed pipeline
  • No hidden trust in external services for core verification

Requirements snapshot

  • Deterministic outputs, stable ordering, and UTC timestamps
  • Offline-first operation with mirrored feeds and local verification
  • Policy decisions always explainable and evidence-linked
  • Short-lived credentials and least-privilege design
  • Baseline deployment uses Linux, Docker or Kubernetes, and local storage