Stella Ops Suite Documentation
Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision.
The platform combines:
- Release orchestration — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- Security decisioning as a gate — Scan on build, evaluate on release, re-evaluate on CVE updates
- OCI-digest-first releases — Immutable digest-based release identity with "what is deployed where" tracking
- Toolchain-agnostic integrations — Plug into any SCM, CI, registry, and secrets system
- Auditability + standards — Evidence packets, SBOM/VEX/attestation support, deterministic replay
Two Levels of Documentation
- High-level (canonical): the curated guides in
docs/*.md. - Detailed (reference): deep dives under
docs/**(module dossiers, architecture notes, API contracts/samples, runbooks, schemas). The entry point isdocs/technical/README.md.
This documentation set is internal and does not keep compatibility stubs for old paths. Content is consolidated to reduce duplication and outdated pages.
Start Here
Product Understanding
| Goal | Open this |
|---|---|
| Understand the product in 2 minutes | overview.md |
| Browse capabilities | key-features.md |
| Feature matrix | FEATURE_MATRIX.md |
| Product vision | product/VISION.md |
| Roadmap (priorities + definition of "done") | ROADMAP.md |
Getting Started
| Goal | Open this |
|---|---|
| Run a first scan (CLI) | quickstart.md |
| Ingest advisories (Concelier + CLI) | CONCELIER_CLI_QUICKSTART.md |
| Console (Web UI) operator guide | UI_GUIDE.md |
| Offline / air-gap operations | OFFLINE_KIT.md |
Architecture
| Goal | Open this |
|---|---|
| Architecture: high-level overview | ARCHITECTURE_OVERVIEW.md |
| Architecture: full reference map | ARCHITECTURE_REFERENCE.md |
| Architecture: user flows (UML) | technical/architecture/user-flows.md |
| Architecture: module matrix | technical/architecture/module-matrix.md |
| Architecture: data flows | technical/architecture/data-flows.md |
| Architecture: schema mapping | technical/architecture/schema-mapping.md |
| Release Orchestrator architecture | modules/release-orchestrator/architecture.md |
Development & Operations
| Goal | Open this |
|---|---|
| Develop plugins/connectors | PLUGIN_SDK_GUIDE.md |
| Security deployment hardening | SECURITY_HARDENING_GUIDE.md |
| VEX consensus and issuer trust | VEX_CONSENSUS_GUIDE.md |
| Vulnerability Explorer guide | VULNERABILITY_EXPLORER_GUIDE.md |
Detailed Indexes
- Technical index (everything): docs/technical/README.md
- End-to-end workflow flows: docs/flows/
- Module dossiers: docs/modules/
- API contracts and samples: docs/api/
- Architecture notes / ADRs: docs/technical/architecture/, docs/technical/adr/
- Operations and deployment: docs/operations/
- Air-gap workflows: docs/modules/airgap/guides/
- Security deep dives: docs/security/
- Benchmarks and fixtures: docs/benchmarks/, docs/assets/
- Product advisories: docs/product/advisories/
Platform Themes
Stella Ops Suite organizes capabilities into themes:
Existing Themes (Operational)
| Theme | Purpose | Key Modules |
|---|---|---|
| INGEST | Advisory ingestion | Concelier, Advisory-AI |
| VEXOPS | VEX document handling | Excititor, VEX Lens, VEX Hub |
| REASON | Policy and decisioning | Policy Engine, OPA Runtime |
| SCANENG | Scanning and SBOM | Scanner, SBOM Service, Reachability |
| EVIDENCE | Evidence and attestation | Evidence Locker, Attestor, Export Center |
| RUNTIME | Runtime signals | Signals, Graph, Zastava |
| JOBCTRL | Job orchestration | Scheduler, Orchestrator, TaskRunner |
| OBSERVE | Observability | Notifier, Telemetry |
| REPLAY | Deterministic replay | Replay Engine |
| DEVEXP | Developer experience | CLI, Web UI, SDK |
Planned Themes (Release Orchestration)
| Theme | Purpose | Key Modules |
|---|---|---|
| INTHUB | Integration hub | Integration Manager, Connection Profiles, Connector Runtime |
| ENVMGR | Environment management | Environment Manager, Target Registry, Agent Manager |
| RELMAN | Release management | Component Registry, Version Manager, Release Manager |
| WORKFL | Workflow engine | Workflow Designer, Workflow Engine, Step Executor |
| PROMOT | Promotion and approval | Promotion Manager, Approval Gateway, Decision Engine |
| DEPLOY | Deployment execution | Deploy Orchestrator, Target Executor, Artifact Generator |
| AGENTS | Deployment agents | Agent Core, Docker/Compose/ECS/Nomad agents |
| PROGDL | Progressive delivery | A/B Manager, Traffic Router, Canary Controller |
| RELEVI | Release evidence | Evidence Collector, Sticker Writer, Audit Exporter |
| PLUGIN | Plugin infrastructure | Plugin Registry, Plugin Loader, Plugin SDK |
Design Principles
- Offline-first: All core operations work in air-gapped environments
- Deterministic replay: Same inputs yield same outputs (stable ordering, canonical hashing)
- Evidence-linked decisions: Every decision links to concrete evidence artifacts
- Digest-first release identity: Releases are immutable OCI digests, not mutable tags
- Pluggable everything: Integrations are plugins; core orchestration is stable
- No feature gating: All plans include all features; limits are environments + new digests/day