stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c2f13fe588232dd125d2b70ae9ad653b41269d5b
git.stella-ops.org/docs/modules/ui/v2-rewire/pack-03.md
master c2f13fe588 preparation for ui re-shelling
2026-02-18 23:03:07 +02:00

1310 lines
61 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Pack 3 — Security + Evidence & Audit + Operations
This pack adds the missing **SBOM/Finding signals**, **hybrid reachability (build/image/runtime)**, and a first-class **Nightly Ops Report**, while keeping the “release/hotfix + security + audit” spine. ([Stella Ops Suite][1])
---
# 0) Design rule for this pack (why these screens look the way they do)
When Stella Ops opens, the UI must communicate fast:
* **What is deployed where (by digest)**
* **What is allowed to ship next**
* **Why it is allowed/blocked (policy + reachability evidence)**
* **Where the evidence is (one-click proof/export)** ([Gitea: Git with a cup of tea][2])
Everything in this pack is arranged to serve that rule.
---
# 1) SECURITY — menus + screens
## 1.1 Security menu graph (Mermaid)
```mermaid
flowchart TD
S0["Security (menu)"]
S1["Security Overview (global)"]
S2["Findings (SBOM + CVE)"]
S3["Finding Detail"]
S4["Hybrid Reachability (build/image/runtime)"]
S5["Reachability Evidence Detail"]
S6["VEX Hub"]
S7["VEX Statement Detail"]
S8["Exceptions"]
S9["Exception Detail"]
S10["SBOM Explorer (Graph)"]
S0 --> S1
S0 --> S2 --> S3 --> S5
S0 --> S4 --> S5
S0 --> S6 --> S7
S0 --> S8 --> S9
S0 --> S10
```
---
## 1.2 Screen — Security Overview (global)
**New location:** `Security → Security Overview`
**Previously:** `Security → Overview` (“Security Overview”)
**Why changed:**
* Your dashboard needs **emerged SBOM/finding signal** and “which env/region is burning” in one glance (not “0 across the board” unless truly 0).
* This overview becomes the **security posture rollup** across regions/environments with **reachability emphasis** (reachable CVEs are what matter for decisions).
### Screen graph (Mermaid)
```mermaid
flowchart LR
A["Security Overview"] --> B["Findings (filtered)"]
A --> C["Hybrid Reachability"]
A --> D["VEX Hub"]
A --> E["Exceptions"]
A --> F["Evidence Capsule (latest)"]
A --> G["Ops: Nightly Report (security pipelines)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Stella Ops [Search releases/digests…] |
|--------------------------------------------------------------------------------------------------|
| NAV | Security / Overview |
|------------------------| formerly: Security → Overview (Security Overview) |
| Dashboard |-------------------------------------------------------------------------|
| Release Control | GLOBAL POSTURE (last refresh 2m) |
| Security (YOU ARE) | Reachable CVEs: CRIT [2] HIGH [7] MED [14] LOW [33] |
| Evidence & Audit | Non-reachable CVEs (noise): 1,284 |
| Operations |-------------------------------------------------------------------------|
| Integrations | HOTSPOTS (Reachable CRIT/HIGH by env) |
| Administration | prod/us-east-1 CRIT=2 HIGH=3 | prod/eu-west-1 CRIT=0 HIGH=4 |
| | staging/us-east-1 CRIT=0 HIGH=1 | dev/* CRIT=0 HIGH=0 |
| |-------------------------------------------------------------------------|
| | HYBRID REACHABILITY COVERAGE (must not be “third class”) |
| | Build: 92% | Image (Dover): 100% | Runtime: 63% |
| | Gaps: prod/eu-west-1 runtime ingest delayed (last 6h) |
| |-------------------------------------------------------------------------|
| | Quick actions: [View Findings] [Reachability] [VEX Hub] [Exceptions] |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.3 Screen — Findings (SBOM + CVE unified)
**New location:** `Security → Findings`
**Previously:**
* `Security → Findings` (“Security Findings”)
* `Security → Vulnerabilities` (“Vulnerabilities”)
**Why changed:**
* **One list** with consistent semantics: “CVE + package + reachability + environments + releases/bundles impacted”.
* The old “Vulnerabilities” page becomes a **redirect** to this screen with preset filters (e.g., `View=CVE Catalog`).
### Screen graph (Mermaid)
```mermaid
flowchart TD
L["Findings (SBOM + CVE)"] --> F["Finding Detail"]
L --> X["Export CSV"]
L --> V["VEX Hub (context)"]
L --> E["Create Exception (pre-filled)"]
L --> R["Reachability view (hybrid columns)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Security / Findings [Export CSV] [Saved Views]|
| formerly: Security → Findings (Security Findings) + Security → Vulnerabilities (Vulnerabilities) |
|--------------------------------------------------------------------------------------------------|
| Filters: Severity [All] Reachability [Any/Reachable] Source [Build/Image/Runtime/Any] |
| Region [All] Environment [All] VEX [Any/Has VEX/Needs VEX] |
|--------------------------------------------------------------------------------------------------|
| CVE PACKAGE SEV CVSS REACHABILITY (B/I/R) VEX RELEASE/BUNDLE ENVS |
| CVE-... openssl CRIT 9.8 ✅ / ✅ / ✅ — hotfix-auth 1.2.4 prod/us-east-1|
| CVE-... log4j HIGH 8.1 ✅ / ✅ / ☐ vendor platform 1.3.0 prod/eu-west-1|
| CVE-... zlib MED 6.5 ☐ / ✅ / ☐ local payments 2.8.4 staging/us-e1|
|--------------------------------------------------------------------------------------------------|
| Notes: Reachability columns are hybrid: Build analysis, Image (Dover), Runtime (deployed). |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.4 Screen — Finding Detail (evidence-first)
**New location:** `Security → Findings → (Finding Detail)`
**Previously:** fragmented across Findings + (future) SBOM Graph + VEX Hub
**Why changed:**
* A decision is only as good as its proof: this page centers **reachability evidence**, **affected environments**, **VEX**, and **the promotion impact** (blocked vs allowed) with links to **Decision Capsule**.
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Finding Detail"] --> R["Reachability Evidence (hybrid)"]
D --> V["VEX Statements"]
D --> P["Promotion Impact (gates + approvals)"]
D --> X["Request Exception"]
D --> E["Evidence Capsule (view/download)"]
D --> A["Remediation actions (upgrade/patch)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Finding: CVE-2026-XXXX (openssl) [Request Exception] |
| formerly: (spread across) Security Findings + VEX Hub + (SBOM Graph placeholder) |
|--------------------------------------------------------------------------------------------------|
| Summary: CRITICAL CVSS 9.8 Package: openssl@3.0.x |
| Affected artifacts (digests): sha256:aaaa… sha256:bbbb… |
|--------------------------------------------------------------------------------------------------|
| Reachability (hybrid) |
| Build: ✅ reachable (call path: api-gateway -> tls -> openssl) |
| Image (Dover): ✅ reachable (static analysis) |
| Runtime: ✅ reachable (trace evidence: prod/us-east-1) |
| [View Reachability Evidence] |
|--------------------------------------------------------------------------------------------------|
| Environments impacted |
| prod/us-east-1 (2 services) prod/eu-west-1 (1 service) |
|--------------------------------------------------------------------------------------------------|
| VEX |
| Vendor VEX: none | Local VEX: draft |
| [Open VEX Hub pre-filtered] |
|--------------------------------------------------------------------------------------------------|
| Promotion impact |
| Gate: "No reachable CRIT" ❌ BLOCKS | Required: patch or approved exception with expiry |
| Evidence capsule: sealed? ✅ [Open Capsule] [Export] |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.5 Screen — Hybrid Reachability (coverage + gaps)
**New location:** `Security → Hybrid Reachability`
**Previously:** *not visible as a coherent surface*
**Why changed:**
* You explicitly require reachability from **Build**, **Image (Dover)**, and **Runtime** to be **second-class (visible)**, not buried.
* This page answers: “Do we trust our reachability picture for each env/region right now?”
### Screen graph (Mermaid)
```mermaid
flowchart TD
H["Hybrid Reachability (Coverage)"] --> M["Coverage Matrix (region/env x source)"]
H --> G["Gap Drilldown (why missing runtime?)"]
H --> F["Findings filtered by 'reachability missing'"]
H --> O["Ops: ingestion pipeline health"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Security / Hybrid Reachability [Export] [Explain] |
| formerly: (missing / implicit) |
|--------------------------------------------------------------------------------------------------|
| Coverage Matrix (last 24h) |
| Region/Env BUILD IMAGE (DOVER) RUNTIME NOTES |
| prod/us-east-1 98% ✅ 100% ✅ 72% ⚠ runtime ingest lag 2h |
| prod/eu-west-1 93% ✅ 100% ✅ 41% ❌ agent offline |
| staging/us-east-1 90% ✅ 100% ✅ 60% ⚠ sampling low |
| dev/us-east-1 80% ⚠ 95% ⚠ 10% ⚠ instrumentation off |
|--------------------------------------------------------------------------------------------------|
| Gap drilldown (selected: prod/eu-west-1 runtime) |
| - Missing agent heartbeat (Integrations: Agents) |
| - Last success: Feb 17 02:10 |
| Links: [Ops Platform Health] [Scheduler Run] [Agent Config] |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.6 Screen — Reachability Evidence Detail
**New location:** via `Finding Detail` or `Hybrid Reachability` drilldowns
**Previously:** not present
**Why changed:**
* Reachability must be inspectable and exportable as evidence; otherwise its a black box.
### Screen graph (Mermaid)
```mermaid
flowchart LR
E["Reachability Evidence Detail"] --> C["Call graph / trace proof"]
E --> S["Source selector: Build vs Image vs Runtime"]
E --> V["Link to VEX statement"]
E --> P["Link to Policy decision + capsule"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Reachability Evidence: CVE-2026-XXXX in prod/us-east-1 [Download Proof] |
| formerly: (missing / implicit) |
|--------------------------------------------------------------------------------------------------|
| Source: [Build ✅] [Image (Dover) ✅] [Runtime ✅] |
|--------------------------------------------------------------------------------------------------|
| Proof summary |
| Entry point: api-gateway |
| Path: api-gateway -> tls_handler -> openssl::SSL_read -> vulnerable_fn |
| Confidence: High |
|--------------------------------------------------------------------------------------------------|
| Linked artifacts |
| SBOM: sbom@sha256:... Trace: runtime-trace@sha256:... Policy: core-pack v12 |
| Capsule: capsule-prod-us-east-1-2026-02-18 |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.7 Screen — VEX Hub
**New location:** `Security → VEX Hub`
**Previously:** `Security → VEX Hub` (“VEX Statement Dashboard”)
**Why changed:**
* Keep it in Security, but make it clearly part of the “evidence chain”: VEX must link to findings and reachability proof (not just a statement list). ([Gitea: Git with a cup of tea][3])
### Screen graph (Mermaid)
```mermaid
flowchart TD
V["VEX Hub"] --> S["Search Statements"]
V --> I["Import Vendor VEX"]
V --> D["VEX Statement Detail"]
D --> F["Linked Findings"]
D --> E["Evidence Capsule / Proof chain"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Security / VEX Hub [Search] [Import Vendor] |
| formerly: Security → VEX Hub |
|--------------------------------------------------------------------------------------------------|
| Search: [CVE____] [Package____] [Product____] [Issuer____] [Env____] |
|--------------------------------------------------------------------------------------------------|
| STATEMENT ID CVE PRODUCT/BUNDLE ISSUER STATUS LINKED FINDINGS |
| vex-1021 CVE-... platform 1.3.0 vendorA Verified 3 (2 reachable) |
| vex-1022 CVE-... payments 2.8.4 local Draft 1 (reachability pending)|
|--------------------------------------------------------------------------------------------------|
| Note: Statements should reference reachability proof & capsule for audit replay. |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.8 Screen — VEX Statement Detail
**New location:** `Security → VEX Hub → (Statement)`
**Previously:** not clearly separated
**Why changed:**
* Needed for auditors: statement, issuer, scope, and the linked evidence objects.
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["VEX Statement Detail"] --> L["Linked findings + reachability"]
D --> P["Proof chain"]
D --> X["Export VEX + evidence refs"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| VEX Statement: vex-1021 (vendorA) [Export] [Verify] |
| formerly: Security → VEX Hub (inline row) |
|--------------------------------------------------------------------------------------------------|
| CVE: CVE-2026-XXXX Disposition: Not Affected Justification: component not used at runtime |
| Scope: platform-release 1.3.0-rc1 Envs: prod/* |
|--------------------------------------------------------------------------------------------------|
| Linked evidence |
| - Reachability proof: runtime shows NOT reachable in prod/eu-west-1 (trace id …) |
| - Capsule: capsule-prod-eu-west-1-… |
|--------------------------------------------------------------------------------------------------|
| Linked findings |
| Finding list: 3 (reachable: 0) |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.9 Screen — Exceptions (risk exceptions)
**New location:** `Security → Exceptions`
**Previously:** `Security → Exceptions` (“Security Exceptions”)
**Why changed:**
* Exceptions must show **scope + expiry + approvers + linked evidence**, and tie to policy workflow configured in Administration.
### Screen graph (Mermaid)
```mermaid
flowchart TD
X["Exceptions"] --> D["Exception Detail"]
X --> R["Request Exception"]
D --> A["Approval trail"]
D --> F["Linked Findings / Bundles"]
D --> E["Evidence capsule references"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Security / Exceptions [Request Exception] |
| formerly: Security → Exceptions |
|--------------------------------------------------------------------------------------------------|
| EXC ID SCOPE REASON REQUESTED BY EXPIRES STATUS |
| exc-221 CVE-… in prod/us-e1 hotfix window alice 2026-03-01 Pending |
| exc-222 bundle payments 2.8.4 vendor patch delayed david 2026-02-25 Approved |
|--------------------------------------------------------------------------------------------------|
| Notes: every exception must be time-bounded and linked to evidence & approver signatures. |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.10 Screen — Exception Detail
**New location:** `Security → Exceptions → (Exception)`
**Previously:** not clearly separated
**Why changed:**
* Needed for audit and for “why allowed even though finding exists”.
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Exception Detail"] --> S["Scope + expiry"]
D --> J["Justification + attachments"]
D --> A["Approvals/signatures"]
D --> L["Linked findings + affected envs"]
D --> C["Capsules impacted (promotion events)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Exception: exc-222 (Approved) [Revoke] [Extend] |
| formerly: Security → Exceptions (row) |
|--------------------------------------------------------------------------------------------------|
| Scope: Bundle payments-suite 2.8.4 Env: prod/eu-west-1 |
| Expires: 2026-02-25 23:59 UTC Risk: HIGH reachable allowed with 2 approvals |
|--------------------------------------------------------------------------------------------------|
| Justification: vendor patch ETA + compensating controls |
| Approvals: ✅ alice (sig…) ✅ security-lead (sig…) |
|--------------------------------------------------------------------------------------------------|
| Linked findings: |
| - CVE-… log4j (HIGH reachable) |
| Capsules impacted: |
| - capsule-prod-eu-west-1-2026-02-18 (promotion allowed due to exc-222) |
+--------------------------------------------------------------------------------------------------+
```
---
## 1.11 Screen — SBOM Explorer (Graph)
**New location:** `Security → SBOM Explorer (Graph)`
**Previously:** `Security → SBOM Graph` (“SBOM Graph”)
**Why changed:**
* Keep it visible but explicitly “supporting detail”: useful to investigate dependency trees, but not the main control-plane.
* If still not implemented, show it as **(coming soon)** with deep links to Findings and Coverage metrics.
### Screen graph (Mermaid)
```mermaid
flowchart TD
G["SBOM Explorer (Graph)"] --> N["Node detail (package/component)"]
N --> F["Findings for node"]
N --> R["Reachability evidence"]
G --> C["Coverage metrics"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Security / SBOM Explorer (Graph) [Beta] [Open Findings] |
| formerly: Security → SBOM Graph |
|--------------------------------------------------------------------------------------------------|
| If graph rendering is not available in this build: |
| - Show “Graph unavailable” + shortcuts: [Findings filtered by component] [Coverage Metrics] |
|--------------------------------------------------------------------------------------------------|
| Graph area (when enabled): |
| [service: api-gateway] --depends--> [openssl] --depends--> [zlib] |
| click node → right panel: packages, versions, linked CVEs, reachability paths |
+--------------------------------------------------------------------------------------------------+
```
---
# 2) EVIDENCE & AUDIT — menus + screens
## 2.1 Evidence & Audit menu graph (Mermaid)
```mermaid
flowchart TD
E0["Evidence & Audit (menu)"]
E1["Evidence Home (latest capsules)"]
E2["Decision Capsules (Bundles list)"]
E3["Decision Capsule Detail"]
E4["Evidence Packets"]
E5["Packet Detail"]
E6["Proof Chains"]
E7["Proof Chain Detail"]
E8["Replay / Verify"]
E9["Replay Result Detail"]
E10["Export Center"]
E11["Export Run Detail"]
E12["Coverage Metrics (Attestation coverage)"]
E0 --> E1
E0 --> E2 --> E3
E0 --> E4 --> E5
E0 --> E6 --> E7
E0 --> E8 --> E9
E0 --> E10 --> E11
E0 --> E12
```
---
## 2.2 Screen — Evidence Home (quick proof access)
**New location:** `Evidence & Audit → Home`
**Previously:** no single landing (Evidence items were separate)
**Why changed:**
* “Where is the evidence?” must be one click. This home page lists latest capsules and quick exports. ([Gitea: Git with a cup of tea][2])
### Screen graph (Mermaid)
```mermaid
flowchart LR
H["Evidence Home"] --> C["Decision Capsules"]
H --> P["Evidence Packets"]
H --> R["Replay / Verify"]
H --> X["Export Center"]
H --> M["Coverage Metrics"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Home [Export] [Verify Tool] |
| formerly: (no single landing) |
|--------------------------------------------------------------------------------------------------|
| Latest Decision Capsules (sealed) |
| capsule-prod-us-east-1-2026-02-18 bundle: hotfix-auth 1.2.4 verdict: PASS* (exc applied) |
| capsule-prod-eu-west-1-2026-02-18 bundle: platform 1.3.0-rc1 verdict: BLOCK (reachable CRIT)|
| [View all capsules] |
|--------------------------------------------------------------------------------------------------|
| Quick proof actions |
| [Replay a verdict] [Verify signatures] [Export Audit Bundle] [Open Proof Chains] |
|--------------------------------------------------------------------------------------------------|
| Coverage snapshot |
| SBOM: 100% Reachability proofs: 78% VEX: 41% Approvals recorded: 100% |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.3 Screen — Decision Capsules (Evidence Bundles list)
**New location:** `Evidence & Audit → Decision Capsules`
**Previously:** `Evidence → Evidence Bundles` (“Evidence Bundles”)
**Why changed:**
* Rename to match the concept used in docs/marketing: a “decision capsule” binds SBOM + frozen inputs + reachability + policy + signatures so audits can replay deterministically. ([Stella Ops Suite][4])
### Screen graph (Mermaid)
```mermaid
flowchart TD
L["Decision Capsules (list)"] --> D["Capsule Detail"]
L --> V["Verify bundle signatures"]
L --> X["Export (zip/tgz/oci)"]
D --> R["Replay / Verify"]
D --> P["Proof chain"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Decision Capsules [Verify] [Export] |
| formerly: Evidence → Evidence Bundles |
|--------------------------------------------------------------------------------------------------|
| Filters: Region [All] Env [All] Bundle/Release [____] Date [last 30d] Status [All] |
|--------------------------------------------------------------------------------------------------|
| CAPSULE ID BUNDLE/RELEASE ENV VERDICT SEALED ACTIONS |
| capsule-prod-us-e1-... hotfix-auth 1.2.4 prod/us-east-1 PASS ✅ View Export |
| capsule-prod-eu-w1-... platform 1.3.0-rc1 prod/eu-west-1 BLOCK ✅ View Replay |
|--------------------------------------------------------------------------------------------------|
| Each capsule must be exportable and replayable for audit. |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.4 Screen — Decision Capsule Detail
**New location:** `Evidence & Audit → Decision Capsules → (Capsule)`
**Previously:** partially in export flows
**Why changed:**
* This is the “auditor view”: list exact inputs (SBOM + feed snapshot + policy version), outputs (verdict), and signatures. ([Stella Ops Suite][4])
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Capsule Detail"] --> I["Inputs (SBOM, feeds, policy, tools)"]
D --> O["Outputs (verdict, risk, VEX)"]
D --> S["Signatures (DSSE) + transparency refs"]
D --> P["Proof chain graph"]
D --> R["Replay this capsule"]
D --> X["Export formats"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Capsule: capsule-prod-us-east-1-2026-02-18 [Replay] [Export] [Verify Sig] |
| formerly: Evidence → Evidence Bundles (detail) |
|--------------------------------------------------------------------------------------------------|
| Inputs |
| SBOM: sbom@sha256:... Feed snapshots: osv@... nvd@... Policy: core-pack v12 |
| Tools: scanner@sha256:... Reachability: runtime-proof@sha256:... |
|--------------------------------------------------------------------------------------------------|
| Outputs |
| Verdict: PASS (exception exc-222) Reachable CVEs: 1 HIGH VEX: derived/linked |
|--------------------------------------------------------------------------------------------------|
| Signatures |
| DSSE envelope: ✅ Rekor/log ref: ✅ Certificate chain: ✅ |
|--------------------------------------------------------------------------------------------------|
| Links: [Proof Chain] [Related Approvals] [Related Bundle Version] |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.5 Screen — Evidence Packets (formerly “Packets”)
**New location:** `Evidence & Audit → Evidence Packets`
**Previously:** `Evidence → Packets` (“Packets”)
**Why changed:**
* “Packets” is ambiguous; “Evidence Packets” communicates that these are artifact bundles used by capsules/exports/replay.
### Screen graph (Mermaid)
```mermaid
flowchart TD
P["Evidence Packets"] --> D["Packet Detail"]
P --> C["Create/collect packet (job output)"]
D --> X["Export packet"]
D --> L["Link to capsules using it"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Evidence Packets [Create] [Export] |
| formerly: Evidence → Packets |
|--------------------------------------------------------------------------------------------------|
| PACKET ID TYPE SOURCE JOB CREATED USED BY CAPSULES |
| pkt-7712 build-sbom jenkins#7712 Feb 18 2 |
| pkt-opsv-sync advisory-snap mirror-sync Feb 18 5 |
| pkt-runtime-trace runtime-proof agent/prod-us-e1 Feb 18 1 |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.6 Screen — Packet Detail
**New location:** `Evidence Packets → (Packet)`
**Previously:** not explicit
**Why changed:**
* Lets operators/auditors see exactly what artifacts are inside and where they were consumed.
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Packet Detail"] --> A["Artifacts list (SBOM, traces, logs, attestations)"]
D --> M["Manifest + hashes"]
D --> U["Used-by capsules"]
D --> X["Export"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence Packet: pkt-7712 (build-sbom) [Export] [Verify Hash] |
| formerly: Evidence → Packets (row) |
|--------------------------------------------------------------------------------------------------|
| Manifest |
| - sbom.cdx.json (sha256:...) |
| - findings.sarif (sha256:...) |
| - build-provenance.json (sha256:...) |
|--------------------------------------------------------------------------------------------------|
| Used by capsules |
| - capsule-prod-us-east-1-2026-02-18 |
| - capsule-staging-us-east-1-2026-02-18 |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.7 Screen — Proof Chains
**New location:** `Evidence & Audit → Proof Chains`
**Previously:** `Evidence → Proof Chains`
**Why changed:**
* Proof chain view is a top “audit navigation” path: show chain-of-custody from bundle → scan → reachability → policy → approval → capsule.
### Screen graph (Mermaid)
```mermaid
flowchart TD
P["Proof Chains"] --> D["Proof Chain Detail"]
D --> C["Capsules"]
D --> A["Approvals"]
D --> R["Replay entries"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Proof Chains [Search] [Export Graph] |
| formerly: Evidence → Proof Chains |
|--------------------------------------------------------------------------------------------------|
| CHAIN ID SUBJECT (digest/bundle) LAST EVENT CAPSULES STATUS |
| chain-901 bundle platform 1.3.0-rc1 promotion blocked 1 ⚠ blocked |
| chain-902 digest sha256:aaaa… (hotfix-auth) promoted to prod 1 ✅ complete |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.8 Screen — Proof Chain Detail
**New location:** `Proof Chains → (Chain)`
**Previously:** not clear
**Why changed:**
* Auditors want a single timeline/graph; engineers want quick links back to the cause (finding, missing feed, exception).
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Proof Chain Detail"] --> G["Chain graph (events)"]
D --> T["Timeline"]
D --> L["Linked objects (findings, vex, exceptions, capsules)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Proof Chain: chain-902 (hotfix-auth 1.2.4) [Export] [Replay Capsule] |
| formerly: Evidence → Proof Chains (row) |
|--------------------------------------------------------------------------------------------------|
| Graph (simplified) |
| Digest sha256:aaaa… → SBOM pkt-7712 → Findings → Reachability proof → Policy gates → Approvals → |
| Capsule sealed → Promotion executed |
|--------------------------------------------------------------------------------------------------|
| Timeline |
| 07:10 SBOM created | 07:12 findings evaluated | 07:20 approval signed | 07:30 promoted |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.9 Screen — Replay / Verify
**New location:** `Evidence & Audit → Replay / Verify`
**Previously:** `Evidence → Replay/Verify` (“Verdict Replay”)
**Why changed:**
* Deterministic replay is a core audit tool; keep it under Evidence and give it a clear “replay inputs, compare diffs” workflow. ([Gitea: Git with a cup of tea][5])
### Screen graph (Mermaid)
```mermaid
flowchart TD
R["Replay / Verify"] --> Q["Request Replay"]
R --> L["Replay Requests list"]
L --> D["Replay Result Detail"]
D --> C["Compare outputs (feeds/policy/tool versions)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Replay / Verify [Request Replay] |
| formerly: Evidence → Replay/Verify (Verdict Replay) |
|--------------------------------------------------------------------------------------------------|
| Request Replay: [Verdict ID or Digest ____] Reason [____________________] [Run] |
|--------------------------------------------------------------------------------------------------|
| Requests |
| rr-001 digest sha256:aaaa… COMPLETED Feb 18 08:30 match: ✅ |
| rr-002 digest sha256:bbbb… RUNNING Feb 18 07:30 |
|--------------------------------------------------------------------------------------------------|
| Determinism: compares outputs to original capsule inputs; highlights feed/policy/tool diffs. |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.10 Screen — Replay Result Detail
**New location:** `Replay/Verify → (Replay Result)`
**Previously:** not explicit
**Why changed:**
* Needed to explain mismatches (policy pack changed, feed snapshot updated, tool version drift).
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Replay Result Detail"] --> M["Match summary"]
D --> DI["Diff view (inputs/outputs)"]
D --> X["Re-seal capsule (optional)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Replay Result: rr-001 (MATCH ✅) [Download Diff] |
| formerly: Evidence → Replay/Verify (inline) |
|--------------------------------------------------------------------------------------------------|
| Compared to capsule: capsule-prod-us-east-1-2026-02-18 |
| Inputs: SBOM ✅ same Feeds ✅ same snapshot Policy ✅ same Tools ✅ same |
| Outputs: Findings ✅ same Reachability ✅ same VEX ✅ same Verdict ✅ same |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.11 Screen — Export Center
**New location:** `Evidence & Audit → Export Center`
**Previously:** `Evidence → Export` (“Export Center”)
**Why changed:**
* Keep it evidence-centered; export is how auditors receive proof (zip/tgz/OCI).
### Screen graph (Mermaid)
```mermaid
flowchart TD
X["Export Center"] --> P["Profiles"]
X --> R["Export Runs"]
P --> E["Edit Profile"]
R --> D["Export Run Detail"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Export Center [Create Profile] |
| formerly: Evidence → Export (Export Center) |
|--------------------------------------------------------------------------------------------------|
| Profiles |
| - StellaBundle (OCI referrer) includes: SBOM, findings, attestations, provenance, VEX, policy |
| - Daily Compliance Export schedule: daily → S3 compliance-bucket |
| - Audit Bundle manual zip for external auditors |
|--------------------------------------------------------------------------------------------------|
| Tabs: [Profiles] [Export Runs] |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.12 Screen — Export Run Detail
**New location:** `Export Center → Export Runs → (Run)`
**Previously:** not explicit
**Why changed:**
* Make exports verifiable: show hash, signature status, destinations, and linked capsules.
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Export Run Detail"] --> A["Artifacts produced"]
D --> S["Signatures + verification"]
D --> DST["Destinations + delivery logs"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Export Run: exp-8812 (SUCCESS ✅) [Download] [Verify] |
| formerly: Evidence → Export (run row) |
|--------------------------------------------------------------------------------------------------|
| Profile: Audit Bundle Output: audit-bundle-2026-02-18.zip sha256:... DSSE: ✅ |
| Contents: 14 capsules, 32 packets, proof graphs, policy pack v12, feed snapshots |
| Destinations: S3://compliance-bucket (ok) |
+--------------------------------------------------------------------------------------------------+
```
---
## 2.13 Screen — Coverage Metrics (Attestation coverage)
**New location:** `Evidence & Audit → Coverage Metrics`
**Previously:** `Analytics → SBOM Lake` (“SBOM Lake”)
**Why changed:**
* This is not “analytics for analytics sake”; its **audit readiness coverage** (SBOM, reachability, VEX, policy decision, approvals).
* Renaming aligns it with operational meaning.
### Screen graph (Mermaid)
```mermaid
flowchart TD
C["Coverage Metrics"] --> F["Filters (region/env/time/severity)"]
C --> T["Coverage by attestation type"]
C --> G["Gaps list (what's missing where)"]
G --> L["Deep links: jobs/integrations causing gaps"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Evidence & Audit / Coverage Metrics [Export CSV] [Refresh] |
| formerly: Analytics → SBOM Lake |
|--------------------------------------------------------------------------------------------------|
| Filters: Region [All] Env [All] Time [30d] Min Severity [All] |
|--------------------------------------------------------------------------------------------------|
| Coverage by attestation type |
| SBOM 100% (0 missing) |
| Reachability 78% (runtime missing in prod/eu-west-1) |
| Policy Decision 100% |
| Human Approval 100% |
| VEX 41% (vendor statements not imported for 12 CVEs) |
|--------------------------------------------------------------------------------------------------|
| Gap list (actionable) |
| - prod/eu-west-1: runtime reachability missing → agent offline (link: Ops Platform Health) |
| - advisory freshness: NVD stale 26h → mirror sync failing (link: Ops Feeds & AirGap) |
+--------------------------------------------------------------------------------------------------+
```
---
# 3) OPERATIONS — menus + screens
## 3.1 Operations menu graph (Mermaid)
```mermaid
flowchart TD
O0["Operations (menu)"]
O1["Ops Summary / Nightly Ops Report"]
O2["Platform Health"]
O3["Scheduler Runs"]
O4["Scheduler Run Detail"]
O5["Orchestrator Jobs"]
O6["Orchestrator Job Detail"]
O7["Dead Letter Queue"]
O8["Quotas & Throttles"]
O9["Worker Fleet"]
O10["Feeds & AirGap (see Pack 2)"]
O0 --> O1
O0 --> O2
O0 --> O3 --> O4
O0 --> O5 --> O6
O0 --> O7
O0 --> O8
O3 --> O9
O0 --> O10
```
---
## 3.2 Screen — Ops Summary / Nightly Ops Report (NEW)
**New location:** `Operations → Ops Summary / Nightly Report`
**Previously:** *missing* (signals scattered across Scheduler/Feeds/Integrations)
**Why changed:**
* You requested a report that tells you when nightly jobs detect issues:
* SBOM re-scan failures
* CVE source not synced / stale
* integrations not connectable
* reachability ingest gaps
* This page is the “operators morning brief” and feeds both Dashboard and Security coverage.
### Screen graph (Mermaid)
```mermaid
flowchart LR
N["Nightly Ops Report"] --> J["Job Health (nightly suites)"]
N --> F["Feed Freshness (OSV/NVD/etc)"]
N --> I["Integration Connectivity"]
N --> C["Coverage Gaps (SBOM/reachability/VEX)"]
N --> D["Deep links: Scheduler run / Mirror detail / Integration detail"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Operations / Nightly Ops Report [Export] [Acknowledge] |
| formerly: (missing / implicit) |
|--------------------------------------------------------------------------------------------------|
| Nightly suites (last run window) |
| ✅ SBOM Rescan (images) 02:0002:18 ok |
| ⚠ Runtime Reachability Ingest 02:0002:30 degraded (prod/eu-west-1 no agent) |
| ❌ NVD Mirror Sync 02:0002:10 failed (timeout) |
| ✅ Evidence Seal/Archive 02:2002:22 ok |
|--------------------------------------------------------------------------------------------------|
| Impact summary |
| - Promotions at risk: prod policy requires “fresh advisories” → NVD stale blocks promotions |
| - Security signal degraded: runtime reachability coverage down in prod/eu-west-1 |
|--------------------------------------------------------------------------------------------------|
| Deep links |
| [Open Scheduler run: nvd-sync#run-881] [Open Feed mirror: nvd-mirror-1] [Open Agent status] |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.3 Screen — Platform Health (services + security pipelines)
**New location:** `Operations → Platform Health`
**Previously:** `Operations → Platform Health` (“Platform Health”)
**Why changed:**
* This must show not only “docker/service up”, but whether **security pipelines** are healthy:
* advisory freshness, SBOM ingestion, reachability ingestion, evidence sealing, replay service.
### Screen graph (Mermaid)
```mermaid
flowchart TD
P["Platform Health"] --> S["Service health (APIs/workers)"]
P --> D["Dependencies (db/queue/storage)"]
P --> SP["Security pipelines (feeds/sbom/reachability/vex)"]
P --> L["Live incidents (last 24h)"]
SP --> N["Nightly report"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Operations / Platform Health [Refresh] [View Incidents]|
| formerly: Operations → Platform Health |
|--------------------------------------------------------------------------------------------------|
| Core Services | Dependencies | Security Pipelines |
|------------------------------------+---------------------------------+---------------------------|
| API Gateway ✅ | Database ✅ | Advisory freshness ❌ NVD |
| Policy Engine ✅ | Queue / Broker ✅ | SBOM ingest ✅ |
| Evidence Locker ✅ | Object Storage ✅ | Reachability ingest ⚠ |
| Replay Service ✅ | Rekor/Transparency ✅ | VEX import ⚠ |
|--------------------------------------------------------------------------------------------------|
| Incident timeline (24h): no user-facing incidents; 2 pipeline degradations tracked |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.4 Screen — Scheduler Runs
**New location:** `Operations → Scheduler Runs`
**Previously:** `Operations → Scheduler` (“Scheduler Runs”)
**Why changed:**
* Keep the page, but make it oriented around **nightly suites** and **data freshness** with links back to impact (coverage gaps, blocked promotions).
### Screen graph (Mermaid)
```mermaid
flowchart TD
S["Scheduler Runs"] --> R["Run Detail"]
S --> M["Manage Schedules"]
S --> W["Worker Fleet"]
R --> L["Logs"]
R --> I["Impact (coverage/gates)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Operations / Scheduler Runs [Manage Schedules] |
| formerly: Operations → Scheduler (Scheduler Runs) |
|--------------------------------------------------------------------------------------------------|
| Filters: Status [All] Window [Last 24h] Job type [All] |
|--------------------------------------------------------------------------------------------------|
| JOB LAST RUN STATUS DURATION NEXT RUN ACTIONS |
| nightly-sbom Feb 18 02:00 ✅ 18m Feb 19 View Logs |
| nightly-runtime Feb 18 02:00 ⚠ 30m Feb 19 View Logs View Impact |
| nvd-sync Feb 18 02:00 ❌ 10m retry View Logs Open Mirror |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.5 Screen — Scheduler Run Detail
**New location:** `Scheduler Runs → (Run)`
**Previously:** minimal
**Why changed:**
* Adds “impact” panel: what did this job affect (coverage, promotions, alerts).
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Scheduler Run Detail"] --> L["Logs"]
D --> E["Errors + retries"]
D --> O["Outputs (packets/snapshots)"]
D --> I["Impact (coverage/gates)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Scheduler Run: nvd-sync#run-881 (FAILED ❌) [Retry] [Open Mirror] |
| formerly: Operations → Scheduler (inline) |
|--------------------------------------------------------------------------------------------------|
| Error: timeout contacting upstream NVD |
| Outputs: none |
| Impact: |
| - Advisory freshness: NVD stale 26h |
| - Promotion gate: “fresh advisories” will BLOCK prod promotions |
| Links: [Nightly Ops Report] [Feed Mirror Detail] |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.6 Screen — Orchestrator Jobs
**New location:** `Operations → Orchestrator`
**Previously:** `Operations → Orchestrator` (“Orchestrator Dashboard”)
**Why changed:**
* Keep access controls, but the main view must be **job status + history** with drilldowns (promotions, rescans, evidence sealing, backfills).
### Screen graph (Mermaid)
```mermaid
flowchart TD
O["Orchestrator Jobs"] --> J["Job list"]
O --> A["Access rights panel"]
J --> D["Job Detail"]
D --> L["Logs"]
D --> DLQ["Send to Dead Letter / recover"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Operations / Orchestrator Jobs [Jobs] [Backfills] |
| formerly: Operations → Orchestrator (Orchestrator Dashboard) |
|--------------------------------------------------------------------------------------------------|
| Access (current user) |
| View jobs: ✅ Granted | Operate: ❌ Denied | Manage quotas: ❌ Denied | Backfill: ❌ Denied |
|--------------------------------------------------------------------------------------------------|
| Recent jobs |
| JOB ID TYPE TARGET/ENV STATUS START ACTIONS |
| job-551 promotion prod/us-east-1 RUNNING 08:10 View |
| job-552 nightly-sbom all COMPLETED 02:00 View |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.7 Screen — Orchestrator Job Detail
**New location:** `Orchestrator → (Job)`
**Previously:** not clear
**Why changed:**
* Single place for logs, produced artifacts (packets/capsules), and failure recovery actions.
### Screen graph (Mermaid)
```mermaid
flowchart LR
D["Job Detail"] --> S["Steps (workflow graph)"]
D --> L["Logs"]
D --> A["Artifacts produced"]
D --> R["Recovery / retry"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Job: job-551 (promotion) [View Capsule] |
| formerly: Operations → Orchestrator (job row) |
|--------------------------------------------------------------------------------------------------|
| Workflow steps: Resolve digests → Evaluate policy → Collect approvals → Deploy → Seal capsule |
| Status: RUNNING (Deploy step) |
| Artifacts: pkt-... capsule-... (pending) |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.8 Screen — Dead Letter Queue
**New location:** `Operations → Dead Letter Queue`
**Previously:** `Operations → Dead Letter` (“Dead-Letter Queue Management”)
**Why changed:**
* DLQ is for failed jobs and should integrate with retry/replay and exports (so you can attach failure evidence).
### Screen graph (Mermaid)
```mermaid
flowchart TD
D["Dead Letter Queue"] --> E["Entry Detail"]
E --> R["Replay / retry job"]
E --> L["Logs"]
E --> X["Export failure bundle (optional)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Operations / Dead Letter Queue [Export CSV] [Replay All]|
| formerly: Operations → Dead Letter (Dead-Letter Queue Management) |
|--------------------------------------------------------------------------------------------------|
| Filters: Error type [All] Status [All] Search [job id / entry id] |
|--------------------------------------------------------------------------------------------------|
| ENTRY ID JOB ID ERROR FIRST SEEN STATUS ACTIONS |
| dlq-001 job-77 feed timeout (NVD) Feb 18 02:05 retriable View Replay |
| dlq-002 job-88 agent offline Feb 18 02:06 blocked View Diagnose |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.9 Screen — Quotas & Throttles (runtime ops)
**New location:** `Operations → Quotas & Throttles`
**Previously:** `Operations → Quotas` (“Operator Quota Dashboard”)
**Why changed:**
* Separate **runtime throttling + recent throttle events** (Ops) from **tenant quota configuration** (Administration → Usage & Limits).
### Screen graph (Mermaid)
```mermaid
flowchart LR
Q["Quotas & Throttles"] --> C["Consumption trend (scans/evidence/api)"]
Q --> T["Throttle events"]
Q --> A["Admin: Usage & Limits (configure)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Operations / Quotas & Throttles [Configure Alerts] |
| formerly: Operations → Quotas (Operator Quota Dashboard) |
|--------------------------------------------------------------------------------------------------|
| Consumption (30d): Scans ████░ Evidence packets ███░ API █████░ Storage ███░ |
|--------------------------------------------------------------------------------------------------|
| Recent throttle events (24h): none |
| Note: configure limits in Administration → Usage & Limits. |
+--------------------------------------------------------------------------------------------------+
```
---
## 3.10 Screen — Worker Fleet
**New location:** `Operations → Scheduler Runs → Worker Fleet`
**Previously:** “Worker Fleet” button existed but not surfaced as a core operational screen
**Why changed:**
* Reachability runtime ingestion and SBOM jobs depend on workers/agents; fleet health should be one click from Scheduler and from Hybrid Reachability gaps.
### Screen graph (Mermaid)
```mermaid
flowchart TD
W["Worker Fleet"] --> N["Nodes/workers list"]
W --> H["Heartbeat + load"]
W --> C["Capabilities (sbom, reachability, export)"]
```
### ASCII mock
```text
+--------------------------------------------------------------------------------------------------+
| Operations / Worker Fleet [Drain] [Restart] |
| formerly: Scheduler → Worker Fleet (button) |
|--------------------------------------------------------------------------------------------------|
| WORKER ROLE(S) HEARTBEAT LOAD STATUS |
| worker-us-e1-01 sbom, policy, export 10s 0.4 ✅ |
| agent-eu-w1-01 runtime reachability 6h — ❌ offline |
|--------------------------------------------------------------------------------------------------|
| Note: offline runtime agents directly reduce hybrid reachability coverage. |
+--------------------------------------------------------------------------------------------------+
```
---
## Your “continue” pointer
If you want **Pack 4**, Ill cover the remaining *Release Control* runtime screens (Releases, Approvals, Deployments, Regions/Env detail) with the same: **menu mermaid + per-screen mermaid + ASCII + formerly/why**—but I didnt repeat them here to avoid duplicating what we already established in Packs 12.
[1]: https://stella-ops.org/?utm_source=chatgpt.com "Stella Ops Suite - Evidence-Grade Release Control for Non ..."
[2]: https://git.stella-ops.org/stella-ops.org/git.stella-ops.org/src/commit/490339561842d30f212e390efb9e8409cd395fe3/docs-archived/ui-analysis/rework/01-ui-rework-adivsory.md?utm_source=chatgpt.com "git.stella-ops.org/01-ui-rework-adivsory.md at ... - Stella Ops Suite"
[3]: https://git.stella-ops.org/stella-ops.org/git.stella-ops.org/src/commit/3130cdb702f34e550725717c6f13a4919bac0bb3/docs/marketing/evidence-linked-vex.md?utm_source=chatgpt.com "git.stella-ops.org/evidence-linked-vex.md at ... - Stella Ops Suite"
[4]: https://stella-ops.org/docs/key-features/?utm_source=chatgpt.com "Stella Ops Signed Reachability · Deterministic Replay · Sovereign ..."
[5]: https://git.stella-ops.org/stella-ops.org/git.stella-ops.org/src/commit/342c35f8ce1544cf816d8a4b41ebaff6187e7016/docs/replay/DEVS_GUIDE_REPLAY.md?utm_source=chatgpt.com "Stella Ops — Developer Guide: Deterministic Replay"
Reference in New Issue View Git Blame Copy Permalink