stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs2/architecture/overview.md
master fcb5ffe25d feat(scanner): Complete PoE implementation with Windows compatibility fix 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 14:52:08 +02:00

1.9 KiB
Raw Blame History

Architecture overview

System boundary

  • Self-hosted by default with optional licensing validation.
  • Offline-first, with all critical verification paths available without network access.

Core infrastructure

  • PostgreSQL: the only canonical database, with schema isolation per module.
  • Valkey: cache, queues, and streams (Redis compatible).
  • RustFS: object storage for content-addressed artifacts.
  • Optional: NATS JetStream as an alternative queue and stream transport.

External dependencies

  • OCI registry with referrers for SBOM and attestation discovery.
  • Fulcio or KMS-backed signing (optional, depending on crypto profile).
  • Rekor (optional) for transparency log anchoring.

Core services (high level)

  • Authority: OIDC and OAuth2 token issuance, DPoP and mTLS sender constraints.
  • Signer: DSSE signing with entitlement checks and scanner integrity verification.
  • Attestor: transparency logging and attestation verification.
  • Scanner (Web + Worker): SBOM generation, analyzers, inventory and usage views, diffs.
  • Concelier: advisory ingest under the Aggregation-Only Contract (AOC).
  • Excititor: VEX ingest under AOC with consensus and evidence preservation.
  • Policy Engine: deterministic policy evaluation with explain traces.
  • Scheduler: impact selection and analysis-only re-evaluation.
  • Notify: rules, channels, and delivery workflows.
  • Export Center: deterministic exports and offline bundles.
  • UI and CLI: operator and automation surfaces.
  • Zastava: runtime observer and optional admission enforcement.
  • Advisory AI: evidence-based guidance with guardrails.
  • Orchestrator: job DAGs and pack runs.

Trust boundaries

  • Authority issues short-lived OpTok tokens with sender constraints (DPoP or mTLS).
  • Signer enforces Proof of Entitlement (PoE) and scanner image integrity before signing.
  • Only Signer produces DSSE; only Attestor writes to Rekor.
  • All evidence is content-addressed and immutable once written.