Complete Feature Matrix - Stella Ops Suite
(Auto-generated with code mapping)
This document extends FEATURE_MATRIX.md with module/file mappings and CLI/UI coverage verification.
SBOM & Ingestion
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Trivy-JSON Ingestion |
Free/Pro/Ent |
Concelier |
TrivyDbExporterPlugin.cs, TrivyDbBoltBuilder.cs |
- |
/concelier/trivy-db-settings |
Implemented |
| SPDX-JSON 3.0.1 Ingestion |
Free/Pro/Ent |
Concelier, Scanner |
SbomParser.cs, SpdxJsonLdSerializer.cs |
stella sbom list --format spdx |
/sbom-sources |
Implemented |
| CycloneDX 1.7 Ingestion |
Free/Pro/Ent |
Concelier, Scanner |
SbomParser.cs, CycloneDxComposer.cs |
stella sbom list --format cyclonedx |
/sbom-sources |
Implemented |
| Auto-format Detection |
Free/Pro/Ent |
Concelier |
ISbomParser.cs, SbomParser.cs (DetectFormatAsync) |
Implicit in stella sbom |
Implicit |
Implemented |
| Delta-SBOM Cache |
Free/Pro/Ent |
SbomService |
VexDeltaRepository.cs, InMemoryLineageCompareCache.cs, ValkeyLineageCompareCache.cs |
- |
- |
Implemented |
| SBOM Generation (all formats) |
Free/Pro/Ent |
Scanner |
SpdxComposer.cs, CycloneDxComposer.cs, SpdxLayerWriter.cs, CycloneDxLayerWriter.cs |
stella scan run |
/findings (scan results) |
Implemented |
| Semantic SBOM Diff |
Free/Pro/Ent |
Scanner, SbomService |
SbomDiff.cs, SbomDiffEngine.cs, LineageCompareService.cs |
- |
/lineage |
Implemented |
| BYOS (Bring-Your-Own-SBOM) |
Free/Pro/Ent |
Scanner |
SbomByosUploadService.cs, SbomUploadStore.cs, SbomUploadEndpoints.cs |
stella sbom upload (pending) |
/sbom-sources |
Implemented |
| SBOM Lineage Ledger |
Enterprise |
SbomService |
SbomLineageEdgeRepository.cs, SbomLedgerModels.cs, SbomServiceDbContext.cs |
- |
/lineage |
Implemented |
| SBOM Lineage API |
Enterprise |
SbomService, Graph |
ILineageGraphService.cs, SbomLineageGraphService.cs, LineageExportService.cs, LineageController.cs |
- |
/lineage |
Implemented |
CLI Commands (SBOM)
| Command |
Description |
Status |
stella sbom list |
List SBOMs with filters (--image, --digest, --format, --created-after/before) |
Implemented |
stella sbom show <id> |
Display SBOM details |
Implemented |
stella sbom upload |
Upload external SBOM (BYOS) |
Pending verification |
stella sbomer layer list |
List layer fragments for a scan |
Implemented |
stella sbomer compose |
Compose layer SBOMs |
Implemented |
stella sbomer verify |
Verify Merkle tree integrity |
Implemented |
UI Routes (SBOM)
| Route |
Feature |
Status |
/sbom-sources |
SBOM ingestion source management |
Implemented |
/lineage |
SBOM lineage graph and smart diff |
Implemented |
/graph |
Interactive SBOM dependency visualization |
Implemented |
/concelier/trivy-db-settings |
Trivy vulnerability database configuration |
Implemented |
Coverage Gaps (SBOM)
| Feature |
Has CLI |
Has UI |
Notes |
| Delta-SBOM Cache |
No |
No |
Internal optimization, no direct exposure needed |
| Auto-format Detection |
Implicit |
Implicit |
Works automatically, no explicit command |
| SBOM Lineage Ledger |
No |
Yes |
CLI access would be useful for automation |
| SBOM Lineage API |
No |
Yes |
CLI access would be useful for automation |
Scanning & Detection
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| CVE Lookup via Local DB |
Free/Pro/Ent |
Scanner |
VulnSurfaceService.cs, AdvisoryClient.cs |
stella scan run |
/findings |
Implemented |
| License-Risk Detection |
All (Planned) |
Scanner |
Package manifest extraction only |
- |
- |
Planned (Q4-2025) |
| .NET/C# Analyzer |
Free/Pro/Ent |
Scanner |
DotNetLanguageAnalyzer.cs, DotNetDependencyCollector.cs, MsBuildProjectParser.cs |
stella scan run |
/findings |
Implemented |
| Java Analyzer |
Free/Pro/Ent |
Scanner |
JavaLanguageAnalyzer.cs, JavaWorkspaceNormalizer.cs |
stella scan run |
/findings |
Implemented |
| Go Analyzer |
Free/Pro/Ent |
Scanner |
GoLanguageAnalyzer.cs |
stella scan run |
/findings |
Implemented |
| Python Analyzer |
Free/Pro/Ent |
Scanner |
PythonLanguageAnalyzer.cs, PythonEnvironmentDetector.cs, ContainerLayerAdapter.cs |
stella scan run |
/findings |
Implemented |
| Node.js Analyzer |
Free/Pro/Ent |
Scanner |
NodeLanguageAnalyzer.cs |
stella scan run |
/findings |
Implemented |
| Ruby Analyzer |
Free/Pro/Ent |
Scanner |
RubyLanguageAnalyzer.cs, RubyVendorArtifactCollector.cs |
stella ruby inspect |
/findings |
Implemented |
| Bun Analyzer |
Free/Pro/Ent |
Scanner |
BunLanguageAnalyzer.cs |
stella bun inspect |
/findings |
Implemented |
| Deno Analyzer |
Free/Pro/Ent |
Scanner |
DenoLanguageAnalyzer.cs |
stella scan run |
/findings |
Implemented |
| PHP Analyzer |
Free/Pro/Ent |
Scanner |
PhpLanguageAnalyzer.cs |
stella php inspect |
/findings |
Implemented |
| Rust Analyzer |
Free/Pro/Ent |
Scanner |
RustLanguageAnalyzer.cs |
stella scan run |
/findings |
Implemented |
| Native Binary Analyzer |
Free/Pro/Ent |
Scanner |
NativeAnalyzer.cs |
stella binary |
/analyze/patch-map |
Implemented |
| Quick Mode |
Free/Pro/Ent |
Scanner |
FidelityLevel.cs, FidelityConfiguration.cs, FidelityAwareAnalyzer.cs |
stella scan run --fidelity quick |
/ops/scanner |
Implemented |
| Standard Mode |
Free/Pro/Ent |
Scanner |
FidelityLevel.cs, FidelityConfiguration.cs |
stella scan run --fidelity standard |
/ops/scanner |
Implemented |
| Deep Mode |
Pro/Ent |
Scanner |
FidelityLevel.cs, FidelityConfiguration.cs |
stella scan run --fidelity deep |
/ops/scanner |
Implemented |
| Base Image Detection |
Free/Pro/Ent |
Scanner |
OciImageInspector.cs, OciImageConfig.cs |
stella image inspect |
/findings |
Implemented |
| Layer-Aware Analysis |
Free/Pro/Ent |
Scanner |
LayeredRootFileSystem.cs, ContainerLayerAdapter.cs |
stella scan layer-sbom |
/findings |
Implemented |
| Concurrent Scan Workers |
1/3/Unlimited |
Scanner |
IScanQueue.cs, NatsScanQueue.cs, ScanJobProcessor.cs |
- |
/ops/scanner |
Implemented |
CLI Commands (Scanning)
| Command |
Description |
Status |
stella scan run |
Execute scanner with --runner, --entry, --target |
Implemented |
stella scan upload |
Upload completed scan results |
Implemented |
stella scan entrytrace |
Show entry trace summary for a scan |
Implemented |
stella scan sarif |
Export scan results in SARIF 2.1.0 format |
Implemented |
stella scan replay |
Replay scan with deterministic hashes |
Implemented |
stella scan gate-policy |
VEX gate evaluation |
Implemented |
stella scan layers |
Container layer operations |
Implemented |
stella scan layer-sbom |
Layer SBOM composition |
Implemented |
stella scan diff |
Binary diff analysis |
Implemented |
stella image inspect |
Inspect OCI image manifest and layers |
Implemented |
stella ruby inspect |
Inspect Ruby workspace |
Implemented |
stella php inspect |
Inspect PHP workspace |
Implemented |
stella python inspect |
Inspect Python workspace/venv |
Implemented |
stella bun inspect |
Inspect Bun workspace |
Implemented |
stella scanner download |
Download latest scanner bundle |
Implemented |
UI Routes (Scanning)
| Route |
Feature |
Status |
/findings |
Vulnerability findings with diff-first view |
Implemented |
/findings/:scanId |
Scan-specific findings |
Implemented |
/scans/:scanId |
Individual scan result inspection |
Implemented |
/vulnerabilities |
CVE/vulnerability database explorer |
Implemented |
/vulnerabilities/:vulnId |
Vulnerability detail view |
Implemented |
/ops/scanner |
Scanner offline kits, baselines, determinism settings |
Implemented |
/analyze/patch-map |
Fleet-wide binary patch coverage heatmap |
Implemented |
Coverage Gaps (Scanning)
| Feature |
Has CLI |
Has UI |
Notes |
| License-Risk Detection |
No |
No |
Planned feature, not yet implemented |
| Concurrent Worker Config |
No |
Yes |
Worker count configured via ops UI/environment |
Reachability Analysis
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Static Call Graph |
Free/Pro/Ent |
Scanner, ReachGraph |
ReachabilityAnalyzer.cs, ReachGraphEdge.cs |
stella reachgraph slice |
/reachability |
Implemented |
| Entrypoint Detection (9+ types) |
Free/Pro/Ent |
Scanner |
JavaEntrypointClassifier.cs, EntryTraceResponse.cs |
stella scan entrytrace |
/reachability |
Implemented |
| BFS Reachability |
Free/Pro/Ent |
Scanner |
ReachabilityAnalyzer.cs (BFS traversal, max depth 256) |
stella reachgraph slice --depth |
/reachability |
Implemented |
| Reachability Drift Detection |
Free/Pro/Ent |
Reachability.Core |
ReachabilityLattice.cs (8-state machine) |
stella drift |
/reachability |
Implemented |
| Binary Loader Resolution |
Pro/Ent |
Scanner |
GuardDetector.cs (PLT/IAT), Binary entrypoint classifiers |
stella binary |
/analyze/patch-map |
Implemented |
| Feature Flag/Config Gating |
Pro/Ent |
Scanner |
GuardDetector.cs (env guards, platform checks, feature flags) |
- |
/reachability |
Implemented |
| Runtime Signal Correlation |
Enterprise |
Signals |
EvidenceWeightedScoreCalculator.cs, ISignalsAdapter.cs |
- |
/reachability |
Implemented |
| Gate Detection (auth/admin) |
Enterprise |
Scanner |
GuardDetector.cs (20+ patterns across 5+ languages) |
- |
/reachability |
Implemented |
| Path Witness Generation |
Enterprise |
Scanner, ReachGraph |
ReachabilityAnalyzer.cs (deterministic path ordering) |
stella witness |
- |
Implemented |
| Reachability Mini-Map API |
Enterprise |
ReachGraph |
ReachGraphStoreService.cs, ReachGraphContracts.cs |
stella reachgraph slice |
/reachability |
Implemented |
| Runtime Timeline API |
Enterprise |
Signals |
ISignalsAdapter.cs, Evidence window configuration |
- |
/reachability |
Implemented |
CLI Commands (Reachability)
| Command |
Description |
Status |
stella reachgraph slice |
Query slice of reachability graph (--cve, --purl, --entrypoint, --depth) |
Implemented |
stella reachgraph replay |
Replay reachability analysis for verification |
Implemented |
stella reachgraph verify |
Verify graph integrity |
Implemented |
stella reachability show |
Display reachability subgraph (table, json, dot, mermaid) |
Implemented |
stella reachability export |
Export reachability data |
Implemented |
stella scan entrytrace |
Show entry trace summary with semantic analysis |
Implemented |
stella witness |
Path witness operations |
Implemented |
stella drift |
Reachability drift detection |
Implemented |
UI Routes (Reachability)
| Route |
Feature |
Status |
/reachability |
Reachability center - analysis and coverage |
Implemented |
/graph |
Interactive dependency graph with reachability overlay |
Implemented |
Key Implementation Details
Reachability Lattice (8 States):
- Unknown (0.00-0.29 confidence)
- StaticReachable (0.30-0.49)
- StaticUnreachable (0.50-0.69)
- RuntimeObserved (0.70-0.89)
- RuntimeUnobserved (0.70-0.89)
- ConfirmedReachable (0.90-1.00)
- ConfirmedUnreachable (0.90-1.00)
- Contested (static/runtime conflict)
Entrypoint Framework Types Detected:
- HTTP Handlers (Spring MVC, JAX-RS, Micronaut, GraphQL)
- Message Handlers (Kafka, RabbitMQ, JMS)
- Scheduled Jobs (Spring @Scheduled, Micronaut, JAX-EJB)
- gRPC Methods (Spring Boot gRPC, Netty gRPC)
- Event Handlers (Spring @EventListener)
- CLI Commands (main() method)
- Servlet Handlers (HttpServlet subclass)
Coverage Gaps (Reachability)
| Feature |
Has CLI |
Has UI |
Notes |
| Runtime Signal Correlation |
No |
Yes |
Consider CLI for signal inspection |
| Gate Detection |
No |
Yes |
Guard conditions visible in reachability UI |
| Path Witness Generation |
Yes |
No |
Consider UI visualization of witness paths |
Binary Analysis (BinaryIndex)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Binary Identity Extraction |
Free/Pro/Ent |
BinaryIndex |
BinaryIdentity.cs, IBinaryFeatureExtractor.cs |
stella binary inspect |
/analyze/patch-map |
Implemented |
| Build-ID Vulnerability Lookup |
Free/Pro/Ent |
BinaryIndex |
IBinaryVulnerabilityService.cs, ResolutionController.cs |
stella binary lookup |
/analyze/patch-map |
Implemented |
| Debian/Ubuntu Corpus |
Free/Pro/Ent |
BinaryIndex |
DebianCorpusConnector.cs, CorpusIngestionService.cs |
- |
- |
Implemented |
| RPM/RHEL Corpus |
Pro/Ent |
BinaryIndex |
RpmCorpusConnector.cs |
- |
- |
Implemented |
| Patch-Aware Backport Detection |
Pro/Ent |
BinaryIndex |
IFixIndexBuilder.cs, FixEvidence.cs, DebianChangelogParser.cs |
stella patch-verify |
- |
Implemented |
| PE/Mach-O/ELF Parsers |
Pro/Ent |
BinaryIndex |
Binary format detection in BinaryIdentity.cs |
stella binary inspect |
- |
Implemented |
| Binary Fingerprint Generation |
Enterprise |
BinaryIndex |
IVulnFingerprintGenerator.cs, BasicBlockFingerprintGenerator.cs, ControlFlowGraphFingerprintGenerator.cs, StringRefsFingerprintGenerator.cs |
stella binary fingerprint |
- |
Implemented |
| Fingerprint Matching Engine |
Enterprise |
BinaryIndex |
IFingerprintMatcher.cs, FingerprintMatcher.cs |
stella binary lookup --fingerprint |
- |
Implemented |
| DWARF/Symbol Analysis |
Enterprise |
BinaryIndex |
Symbol extraction in corpus functions |
stella binary symbols |
- |
Implemented |
CLI Commands (Binary)
| Command |
Description |
Status |
stella binary inspect |
Inspect binary identity (Build-ID, hashes, architecture) |
Implemented |
stella binary lookup |
Lookup vulnerabilities by binary identity/fingerprint |
Implemented |
stella binary symbols |
Extract symbols from binary |
Implemented |
stella binary fingerprint |
Generate fingerprints for binary functions |
Implemented |
stella binary verify |
Verify binary match evidence |
Implemented |
stella binary submit |
Submit binary for analysis |
Implemented |
stella binary info |
Get binary analysis info |
Implemented |
stella binary callgraph |
Extract call graph digest |
Implemented |
stella scan diff |
Binary diff analysis |
Implemented |
stella patch-verify |
Patch verification for backport detection |
Implemented |
stella patch-attest |
Patch attestation operations |
Implemented |
stella deltasig |
Delta signature operations |
Implemented |
UI Routes (Binary)
| Route |
Feature |
Status |
/analyze/patch-map |
Fleet-wide binary patch coverage heatmap |
Implemented |
Key Implementation Details
Fingerprint Algorithms (4 types):
- BasicBlock - Instruction-level basic block hashing (16 bytes)
- ControlFlowGraph - Weisfeiler-Lehman graph hash (32 bytes)
- StringRefs - String reference pattern hash (16 bytes)
- Combined - Multi-algorithm ensemble
Fix Detection Methods:
- SecurityFeed - Official OVAL, DSA feeds
- Changelog - Debian/Ubuntu changelog parsing
- PatchHeader - DEP-3 patch header extraction
- UpstreamPatchMatch - Upstream patch database
Supported Distributions:
- Debian, Ubuntu (DebianCorpusConnector)
- RHEL, Fedora, CentOS, Rocky, AlmaLinux (RpmCorpusConnector)
- Alpine Linux (AlpineCorpusConnector)
Coverage Gaps (Binary)
| Feature |
Has CLI |
Has UI |
Notes |
| Debian/Ubuntu Corpus |
No |
No |
Internal corpus management - admin only |
| RPM/RHEL Corpus |
No |
No |
Internal corpus management - admin only |
| Fingerprint Generation |
Yes |
No |
Consider UI for fingerprint visualization |
| Corpus Ingestion |
No |
No |
Admin operation - consider ops UI |
Advisory Sources (Concelier)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| NVD |
Free/Pro/Ent |
Concelier |
NvdConnector.cs, NvdMapper.cs |
stella db fetch nvd |
/concelier |
Implemented |
| GHSA |
Free/Pro/Ent |
Concelier |
GhsaConnector.cs (GraphQL, rate limits) |
stella db fetch ghsa |
/concelier |
Implemented |
| OSV |
Free/Pro/Ent |
Concelier |
OsvConnector.cs (multi-ecosystem) |
stella db fetch osv |
/concelier |
Implemented |
| Alpine SecDB |
Free/Pro/Ent |
Concelier |
Connector.Distro.Alpine/ |
stella db fetch alpine |
/concelier |
Implemented |
| Debian Security Tracker |
Free/Pro/Ent |
Concelier |
Connector.Distro.Debian/ (DSA, EVR) |
stella db fetch debian |
/concelier |
Implemented |
| Ubuntu USN |
Free/Pro/Ent |
Concelier |
Connector.Distro.Ubuntu/ |
stella db fetch ubuntu |
/concelier |
Implemented |
| RHEL/CentOS OVAL |
Pro/Ent |
Concelier |
Connector.Distro.RedHat/ (OVAL, NEVRA) |
stella db fetch redhat |
/concelier |
Implemented |
| KEV (Exploited Vulns) |
Free/Pro/Ent |
Concelier |
KevConnector.cs (CISA catalog) |
stella db fetch kev |
/concelier |
Implemented |
| EPSS v4 |
Free/Pro/Ent |
Concelier |
Connector.Epss/ |
stella db fetch epss |
/concelier |
Implemented |
| Custom Advisory Connectors |
Enterprise |
Concelier |
IFeedConnector interface |
- |
/admin |
Implemented |
| Advisory Merge Engine |
Enterprise |
Concelier |
AdvisoryPrecedenceMerger.cs, AffectedPackagePrecedenceResolver.cs |
stella db merge |
- |
Implemented |
CLI Commands (Advisory)
| Command |
Description |
Status |
stella db fetch |
Trigger connector fetch/parse/map |
Implemented |
stella db merge |
Run canonical merge reconciliation |
Implemented |
stella db export |
Run Concelier export jobs |
Implemented |
stella sources ingest |
Validate source documents |
Implemented |
stella feeds snapshot |
Create/list/export/import feed snapshots |
Implemented |
stella advisory |
Advisory listing and search |
Implemented |
stella admin feeds |
Feed management (admin) |
Implemented |
UI Routes (Advisory)
| Route |
Feature |
Status |
/concelier/trivy-db-settings |
Trivy vulnerability database configuration |
Implemented |
/ops/feeds |
Feed mirror dashboard and air-gap bundles |
Implemented |
Key Implementation Details
Source Precedence (Lower = Higher Priority):
- Rank 0: redhat, ubuntu, debian, suse, alpine (distro PSIRTs)
- Rank 1: msrc, oracle, adobe, apple, cisco, vmware (vendor PSIRTs)
- Rank 2: ghsa, osv (ecosystem registries)
- Rank 3: jvn, acsc, cccs, cert-fr, cert-in, certbund, ru-bdu, kisa (regional CERTs)
- Rank 4: kev (exploit annotations)
- Rank 5: nvd (baseline)
Version Comparators:
- NEVRA (RPM): epoch:version-release with rpmvercmp
- EVR (Debian/Ubuntu): epoch:upstream_version-debian_revision
- APK (Alpine):
-r<pkgrel> with suffix ordering
Coverage Gaps (Advisory)
| Feature |
Has CLI |
Has UI |
Notes |
| Advisory Merge Engine |
Yes |
No |
Consider merge status UI |
| Custom Connectors |
No |
No |
Enterprise feature - needs admin UI |
| Feed Scheduling |
No |
Partial |
Consider stella feeds schedule command |
VEX Processing (Excititor, VexLens, VexHub, IssuerDirectory)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| OpenVEX Format Support |
Free/Pro/Ent |
Excititor |
Formats.OpenVEX/, OpenVexParser.cs |
stella vex |
/vex |
Implemented |
| CycloneDX VEX Format |
Free/Pro/Ent |
Excititor |
Formats.CycloneDX/ |
stella vex |
/vex |
Implemented |
| CSAF Format Support |
Free/Pro/Ent |
Excititor |
Formats.CSAF/ |
stella vex |
/vex |
Implemented |
| VEX Ingestion API |
Free/Pro/Ent |
Excititor |
IngestEndpoints.cs, IVexObservationQueryService.cs |
- |
/vex |
Implemented |
| VEX Observation Store |
Free/Pro/Ent |
Excititor |
VexObservationQueryService.cs, AOC-compliant storage |
- |
- |
Implemented |
| VEX Consensus Engine |
Pro/Ent |
VexLens |
VexConsensusEngine.cs, IVexConsensusEngine.cs |
stella vex consensus |
/vex |
Implemented |
| Trust Weight Scoring |
Pro/Ent |
VexLens |
ITrustWeightEngine.cs, TrustDecayService.cs |
- |
/vex |
Implemented |
| Issuer Trust Registry |
Pro/Ent |
IssuerDirectory |
Full issuer CRUD and key management |
- |
/issuer-directory |
Implemented |
| VEX Distribution Hub |
Enterprise |
VexHub |
IVexIngestionService.cs, IVexExportService.cs |
- |
- |
Implemented |
| VEX Gate Integration |
Pro/Ent |
Scanner |
IVexGateService.cs, VexGateScanCommandGroup.cs |
stella scan gate-policy |
/findings |
Implemented |
| VEX from Drift Generation |
Pro/Ent |
CLI |
VexGenCommandGroup.cs |
stella vex gen --from-drift |
- |
Implemented |
| Conflict Detection |
Pro/Ent |
VexLens, Excititor |
VexLinksetDisagreementService.cs, NoiseGateService.cs |
- |
/vex |
Implemented |
CSAF Provider Connectors
| Connector |
Module |
Key Files |
CLI |
Status |
| Red Hat CSAF |
Excititor |
Connectors.RedHat.CSAF/ |
- |
Implemented |
| Ubuntu CSAF |
Excititor |
Connectors.Ubuntu.CSAF/ |
- |
Implemented |
| Oracle CSAF |
Excititor |
Connectors.Oracle.CSAF/ |
- |
Implemented |
| Microsoft MSRC CSAF |
Excititor |
Connectors.MSRC.CSAF/ |
- |
Implemented |
| Cisco CSAF |
Excititor |
Connectors.Cisco.CSAF/ |
- |
Implemented |
| SUSE RancherVEXHub |
Excititor |
Connectors.SUSE.RancherVEXHub/ |
- |
Implemented |
| OCI OpenVEX Attestation |
Excititor |
Connectors.OCI.OpenVEX.Attest/ |
- |
Implemented |
CLI Commands (VEX)
| Command |
Description |
Status |
stella vex consensus |
Query VexLens consensus (--query, --output json/ndjson/table) |
Implemented |
stella vex get |
Fetch single consensus record with rationale |
Implemented |
stella vex simulate |
Test VEX policy decisions (aggregation-only) |
Implemented |
stella vex gen --from-drift |
Generate VEX from container drift analysis |
Implemented |
stella scan gate-policy |
VEX gate evaluation for findings |
Implemented |
UI Routes (VEX)
| Route |
Feature |
Status |
/vex |
VEX consensus and statement browser |
Implemented |
/issuer-directory |
Issuer trust registry management |
Implemented |
/findings (VEX overlay) |
VEX status overlay on findings |
Implemented |
Key Implementation Details
Consensus Lattice States:
unknown (0.00) - No informationunder_investigation (0.25) - Being analyzednot_affected (0.50) - Confirmed not vulnerableaffected (0.75) - Confirmed vulnerablefixed (1.00) - Patch applied
Trust Weight Factors (9 total):
- Issuer tier (critical/high/medium/low)
- Confidence score (0-1)
- Cryptographic attestation status
- Statement age (freshness decay)
- Patch applicability
- Source authority scope (PURL patterns)
- Key lifecycle status
- Justification quality
- Historical accuracy
AOC (Aggregation-Only Contract):
- Raw VEX stored verbatim with provenance
- No derived data at ingest time
- Linkset-only references
- Roslyn analyzers enforce compliance
Determinism Guarantees:
- RFC 8785 canonical JSON serialization
- Stable ordering (timestamp DESC, source ASC, hash ASC)
- UTC ISO-8601 timestamps
- SHA-256 consensus digests
Coverage Gaps (VEX)
| Feature |
Has CLI |
Has UI |
Notes |
| CSAF Provider Connectors |
No |
No |
Internal connector management |
| Trust Weight Configuration |
No |
Partial |
Consider CLI for trust weight tuning |
| VEX Distribution Webhooks |
No |
No |
VexHub webhook config needs exposure |
| Conflict Resolution UI |
No |
Partial |
Interactive conflict resolution would help |
Policy Engine (Policy, RiskEngine)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| K4 Lattice Logic |
Pro/Ent |
Policy |
K4Lattice.cs, TrustLatticeEngine.cs |
- |
/policy |
Implemented |
| Policy Gate Evaluation |
Free/Pro/Ent |
Policy |
PolicyGateEvaluator.cs, IPolicyGate.cs |
stella policy simulate |
/policy |
Implemented |
| Evidence Gate |
Free/Pro/Ent |
Policy |
EvidenceGate.cs |
- |
/policy |
Implemented |
| VEX Trust Gate |
Pro/Ent |
Policy |
VexTrustGate.cs, VexProofSpineService.cs |
- |
/policy |
Implemented |
| Confidence Gate |
Pro/Ent |
Policy |
MinimumConfidenceGate.cs |
- |
/policy |
Implemented |
| Exception Management |
Pro/Ent |
Policy |
IExceptionService.cs, ExceptionAdapter.cs |
- |
/policy/exceptions |
Implemented |
| Risk Scoring (6 providers) |
Pro/Ent |
RiskEngine |
IRiskScoreProvider.cs, CvssKevProvider.cs |
- |
/risk |
Implemented |
| Verdict Attestations |
Enterprise |
Policy |
IVerdictAttestationService.cs, IPolicyDecisionAttestationService.cs |
- |
- |
Implemented |
| Policy Simulation |
Pro/Ent |
Policy |
IPolicySimulationService.cs |
stella policy simulate |
/policy/simulate |
Implemented |
| Sealed Mode (Air-Gap) |
Enterprise |
Policy |
ISealedModeService.cs |
- |
/ops |
Implemented |
| Determinization System |
Pro/Ent |
Policy |
UncertaintyScoreCalculator.cs, DecayedConfidenceCalculator.cs |
- |
- |
Implemented |
| Score Policy (YAML) |
Pro/Ent |
Policy |
ScorePolicyService.cs, ScorePolicyModels.cs |
stella policy validate |
/policy |
Implemented |
K4 Lattice (Belnap Four-Valued Logic)
| State |
Symbol |
Description |
| Unknown |
⊥ |
No evidence available |
| True |
T |
Evidence supports true |
| False |
F |
Evidence supports false |
| Conflict |
⊤ |
Credible evidence for both (contested) |
Operations:
Join(a, b) - Knowledge union (monotone aggregation)Meet(a, b) - Knowledge intersection (dependency chains)Negate(v) - Swaps True ↔ FalseFromSupport(hasTrueSupport, hasFalseSupport) - Constructs K4 from claims
Policy Gate Types (10+)
| Gate |
Purpose |
| Evidence Gate |
Validates sufficient evidence backing |
| Lattice State Gate |
K4 states (U, SR, SU, RO, RU, CR, CU, X) |
| VEX Trust Gate |
Confidence-based VEX scoring |
| Uncertainty Tier Gate |
T1-T4 uncertainty classification |
| Minimum Confidence Gate |
Enforces confidence floors |
| Evidence Freshness Gate |
Staleness checks |
| VEX Proof Gate |
Validates VEX proof chains |
| Reachability Requirement Gate |
Reachability evidence |
| Facet Quota Gate |
Facet-based quotas |
| Source Quota Gate |
Source credibility quotas |
| Unknowns Budget Gate |
Limits unknown assertions |
Risk Score Providers (6)
| Provider |
Key Files |
Purpose |
| CVSS/KEV |
CvssKevProvider.cs |
CVSS + Known Exploited Vulns |
| EPSS |
EpssProvider.cs |
Exploit Prediction Scoring |
| FixChain |
FixChainRiskProvider.cs |
Fix availability and timeline |
| FixExposure |
FixExposureProvider.cs |
Patch adoption curves |
| VexGate |
VexGateProvider.cs |
VEX decisions as risk gates |
| DefaultTransforms |
DefaultTransformsProvider.cs |
Signal normalization |
Determinization Signal Weights
| Signal |
Weight |
| VEX |
35% |
| Reachability |
25% |
| Runtime |
15% |
| EPSS |
10% |
| Backport |
10% |
| SBOM Lineage |
5% |
Score Policy Weights (Basis Points)
| Dimension |
Default Weight |
| Base Severity |
10% (1000 BPS) |
| Reachability |
45% (4500 BPS) |
| Evidence |
30% (3000 BPS) |
| Provenance |
15% (1500 BPS) |
CLI Commands (Policy)
| Command |
Description |
Status |
stella policy validate <path> |
Validate policy YAML (--schema, --strict) |
Implemented |
stella policy install <pack> |
Install policy pack (--version, --env) |
Implemented |
stella policy list |
List installed policies |
Implemented |
stella policy simulate |
Simulate policy decisions |
Implemented |
UI Routes (Policy)
| Route |
Feature |
Status |
/policy |
Policy management and evaluation |
Implemented |
/policy/exceptions |
Exception management |
Implemented |
/policy/simulate |
Policy simulation runner |
Implemented |
/risk |
Risk scoring dashboard |
Implemented |
API Endpoints (45+)
Core:
/policy/eval/batch - Batch evaluation/policy/packs - Policy pack management/policy/runs - Run lifecycle/policy/decisions - Decision queries
Simulation:
/policy/simulate - Policy simulation/policy/merge-preview - Merge preview/overlay-simulation - Overlay projection
Governance:
/api/v1/policy/registry/packs - Pack registry/api/v1/policy/registry/promote - Promotion workflows/api/v1/policy/registry/publish - Publishing pipelines
Coverage Gaps (Policy)
| Feature |
Has CLI |
Has UI |
Notes |
| K4 Lattice Debug |
No |
Partial |
Consider stella policy lattice explain |
| Risk Provider Config |
No |
No |
Provider-level configuration needs exposure |
| Exception Approval API |
No |
Yes |
Consider stella policy exception approve |
| Determinization Tuning |
No |
No |
Signal weights should be configurable |
Attestation & Signing (Attestor, Signer, Provenance)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| DSSE Envelope Handling |
Free/Pro/Ent |
Attestor |
DsseHelper.cs, DsseEnvelope.cs, DsseVerifier.cs |
stella attest |
/attestations |
Implemented |
| In-Toto Statement Format |
Free/Pro/Ent |
Attestor |
InTotoStatement.cs, IInTotoLinkSigningService.cs |
stella attest attach |
- |
Implemented |
| SPDX SBOM Predicates |
Free/Pro/Ent |
Attestor |
SpdxPredicateParser.cs |
stella attest attach |
- |
Implemented |
| CycloneDX SBOM Predicates |
Free/Pro/Ent |
Attestor |
CycloneDxPredicateParser.cs |
stella attest attach |
- |
Implemented |
| SLSA Provenance Predicates |
Pro/Ent |
Attestor |
SlsaProvenancePredicateParser.cs |
stella attest attach |
- |
Implemented |
| Keyless Signing (Fulcio) |
Pro/Ent |
Signer |
KeylessDsseSigner.cs, HttpFulcioClient.cs |
stella sign keyless |
- |
Implemented |
| Rekor Transparency Log |
Pro/Ent |
Signer, Attestor |
RekorHttpClient.cs, IRekorClient.cs |
stella sign keyless --rekor |
- |
Implemented |
| Key Rotation Service |
Enterprise |
Signer |
IKeyRotationService.cs, KeyRotationService.cs |
/keys/rotate endpoint |
- |
Implemented |
| Trust Anchor Management |
Enterprise |
Signer |
ITrustAnchorManager.cs, TrustAnchorManager.cs |
- |
- |
Implemented |
| Attestation Chains |
Enterprise |
Attestor |
AttestationChain.cs, AttestationChainBuilder.cs |
- |
- |
Implemented |
| Delta Attestations |
Pro/Ent |
Attestor |
IDeltaAttestationService.cs (VEX/SBOM/Verdict/Reachability) |
- |
- |
Implemented |
| Offline/Air-Gap Bundles |
Enterprise |
Attestor |
IAttestorBundleService.cs |
- |
/ops/offline-kit |
Implemented |
Predicate Types (25+ Types)
Standard Predicates:
| Predicate |
Parser |
Purpose |
| SPDX |
SpdxPredicateParser.cs |
SBOM attestation (2.2/2.3/3.0.1) |
| CycloneDX |
CycloneDxPredicateParser.cs |
SBOM attestation (1.7) |
| SLSA Provenance |
SlsaProvenancePredicateParser.cs |
Build provenance (v1.0) |
| VEX Override |
VexOverridePredicateParser.cs |
VEX decision overrides |
| Binary Diff |
BinaryDiffPredicateBuilder.cs |
Binary change attestation |
Stella-Ops Specific Predicates:
- AIArtifactBasePredicate, AIAuthorityClassifier, AIExplanationPredicate
- AIPolicyDraftPredicate, AIRemediationPlanPredicate, AIVexDraftPredicate
- BinaryFingerprintEvidencePredicate, BudgetCheckPredicate, ChangeTracePredicate
- DeltaVerdictPredicate, EvidencePredicate, PolicyDecisionPredicate
- ProofSpinePredicate, ReachabilityDriftPredicate, ReachabilitySubgraphPredicate
- SbomDeltaPredicate, UnknownsBudgetPredicate, VerdictDeltaPredicate
- VexDeltaPredicate, VexPredicate, TrustVerdictPredicate, FixChainPredicate
CLI Commands (Attestation & Signing)
| Command |
Description |
Status |
stella attest attach |
Attach DSSE attestation to OCI artifact |
Implemented |
stella attest verify |
Verify attestations on OCI artifact |
Implemented |
stella attest list |
List attestations on OCI artifact |
Implemented |
stella attest fetch |
Fetch specific attestation by predicate type |
Implemented |
stella attest fix-chain |
FixChain attestation command |
Implemented |
stella attest patch |
Patch attestation command |
Implemented |
stella sign keyless |
Sigstore keyless signing |
Implemented |
stella sign verify-keyless |
Verify keyless signature |
Implemented |
Signing Modes
| Mode |
Description |
Key Files |
| Keyless |
Fulcio-based ephemeral keys |
KeylessDsseSigner.cs |
| KMS |
External key management system |
CryptoDsseSigner.cs |
| HMAC |
HMAC-based signing |
HmacDsseSigner.cs |
Crypto Algorithm Support
| Algorithm |
Files |
Purpose |
| RSA |
CryptoDsseSigner.cs |
Traditional RSA signing |
| ECDSA |
CryptoDsseSigner.cs |
Elliptic curve signing |
| SM2 |
CryptoDsseSigner.cs |
Chinese national standard |
API Endpoints (Attestor)
| Endpoint |
Purpose |
/api/v1/anchors |
Attestation anchors |
/api/v1/bundles |
DSSE bundle operations |
/api/v1/chains |
Attestation chain queries |
/api/v1/proofs |
Proof operations |
/api/v1/verify |
Verification endpoints |
API Endpoints (Signer)
| Endpoint |
Purpose |
POST /sign |
Sign artifact |
POST /sign/verify |
Verify signature |
GET /keys |
List signing keys |
POST /keys/rotate |
Rotate signing key |
POST /keys/revoke |
Revoke signing key |
Coverage Gaps (Attestation)
| Feature |
Has CLI |
Has UI |
Notes |
| Key Rotation |
No (API only) |
No |
Add stella keys rotate CLI |
| Trust Anchor Management |
No |
No |
Consider trust anchor CLI |
| Attestation Chains UI |
No |
Partial |
Chain visualization needed |
| Predicate Registry |
No |
No |
Consider stella attest predicates list |
Regional Crypto (Cryptography, SmRemote)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| EdDSA (Ed25519) Baseline |
Free/Pro/Ent |
Cryptography |
Ed25519Signer.cs, Ed25519Verifier.cs |
- |
- |
Implemented |
| ECDSA P-256 (FIPS) |
Pro/Ent |
Cryptography |
EcdsaP256Signer.cs |
- |
- |
Implemented |
| FIPS 140-2 Plugin |
Enterprise |
Cryptography |
FipsPlugin.cs (RSA, ECDSA, AES) |
- |
- |
Implemented |
| GOST R 34.10-2012 Plugin |
Enterprise |
Cryptography |
GostPlugin.cs (256/512-bit) |
- |
- |
Implemented |
| SM2/SM3/SM4 Plugin |
Enterprise |
Cryptography |
SmPlugin.cs |
- |
- |
Implemented |
| eIDAS Plugin |
Enterprise |
Cryptography |
EidasPlugin.cs (CAdES, RFC 3161) |
- |
- |
Implemented |
| HSM Plugin (PKCS#11) |
Enterprise |
Cryptography |
HsmPlugin.cs |
- |
- |
Implemented |
| CryptoPro GOST |
Enterprise |
Cryptography |
CryptoProGostCryptoProvider.cs (Windows) |
- |
- |
Implemented |
| SM Remote Service |
Enterprise |
SmRemote |
Program.cs (SM2 signing service) |
- |
- |
Implemented |
| Multi-Profile Signing |
Enterprise |
Cryptography |
MultiProfileSigner.cs |
- |
- |
Implemented |
| Post-Quantum (Defined) |
Future |
Cryptography |
SignatureProfile.cs (Dilithium, Falcon) |
- |
- |
Planned |
Signature Profiles (8 Defined)
| Profile |
Standard |
Algorithm |
Status |
| EdDsa |
RFC 8032 |
Ed25519 |
Implemented |
| EcdsaP256 |
FIPS 186-4 |
ES256 |
Implemented |
| RsaPss |
FIPS 186-4, RFC 8017 |
PS256/384/512 |
Implemented |
| Gost2012 |
GOST R 34.10-2012 |
GOST 256/512-bit |
Implemented |
| SM2 |
GM/T 0003.2-2012 |
SM2-SM3 |
Implemented |
| Eidas |
ETSI TS 119 312 |
RSA-SHA*, ECDSA-SHA* |
Implemented |
| Dilithium |
NIST PQC |
CRYSTALS-Dilithium |
Planned |
| Falcon |
NIST PQC |
Falcon-512/1024 |
Planned |
Regional Compliance Matrix
| Region |
Standard |
Plugin |
Algorithms |
| US |
FIPS 140-2 |
FipsPlugin |
RSA-SHA*, ECDSA-P256/384/521, AES-GCM |
| Russia |
GOST R 34.10-2012 |
GostPlugin, CryptoPro |
GOST 256/512-bit signatures |
| China |
GM/T 0003-0004 |
SmPlugin, SmRemote |
SM2, SM3, SM4-CBC/GCM |
| EU |
eIDAS |
EidasPlugin |
CAdES-BES, XAdES-BES, RFC 3161 TSA |
| Hardware |
PKCS#11 |
HsmPlugin |
HSM-RSA, HSM-ECDSA, HSM-AES |
Key Service Interfaces
| Interface |
Purpose |
IContentSigner |
Core signing abstraction |
IContentVerifier |
Signature verification |
ICryptoCapability |
Plugin capability reporting |
IHsmClient |
HSM abstraction (simulated/PKCS#11) |
Plugin Configuration Options
FIPS Plugin:
- RequireFipsMode, RsaKeySize (2048-4096), EcdsaCurve (P-256/384/521)
GOST Plugin:
- KeyStorePath, DefaultKeyId, PrivateKeyBase64, KeySize (256/512)
SM Plugin:
- PrivateKeyHex, GenerateKeyOnInit, UserId
eIDAS Plugin:
- CertificatePath, TimestampAuthorityUrl, ValidateCertificateChain
HSM Plugin:
- LibraryPath, SlotId, Pin, TokenLabel
Coverage Gaps (Regional Crypto)
| Feature |
Has CLI |
Has UI |
Notes |
| Crypto Profile Selection |
No |
No |
Configuration-only, no CLI |
| Key Management |
No |
No |
Plugin-specific configuration |
| Post-Quantum Crypto |
No |
No |
Profiles defined but not implemented |
| HSM Status |
No |
No |
Consider health check endpoint |
Evidence & Findings (EvidenceLocker, Findings, ExportCenter)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Sealed Evidence Bundles |
Pro/Ent |
EvidenceLocker |
S3EvidenceObjectStore.cs (WORM) |
stella evidence export |
/evidence-export |
Implemented |
| Verdict Attestations |
Pro/Ent |
EvidenceLocker |
VerdictEndpoints.cs, VerdictContracts.cs |
- |
/evidence-export |
Implemented |
| Append-Only Ledger |
Pro/Ent |
Findings |
ILedgerEventRepository.cs, LedgerEventModels.cs |
- |
/findings |
Implemented |
| Alert Triage Workflow |
Pro/Ent |
Findings |
DecisionModels.cs (hot/warm/cold bands) |
- |
/findings |
Implemented |
| Merkle Anchoring |
Pro/Ent |
Findings |
Infrastructure/Merkle/ |
- |
- |
Implemented |
| Evidence Packs |
Pro/Ent |
Evidence.Pack |
IEvidencePackService.cs, EvidencePack.cs |
- |
/evidence-thread |
Implemented |
| Evidence Cards |
Pro/Ent |
Evidence.Pack |
IEvidenceCardService.cs, EvidenceCard.cs |
- |
- |
Implemented |
| Profile-Based Exports |
Pro/Ent |
ExportCenter |
ExportApiEndpoints.cs, ExportProfile |
- |
/evidence-export |
Implemented |
| Risk Bundle Export |
Enterprise |
ExportCenter |
RiskBundleEndpoints.cs |
- |
/evidence-export |
Implemented |
| Lineage Evidence Export |
Enterprise |
ExportCenter |
LineageExportEndpoints.cs |
- |
/lineage |
Implemented |
| Offline Verification |
Enterprise |
EvidenceLocker |
verify-offline.md |
stella evidence verify --offline |
- |
Implemented |
CLI Commands (Evidence)
| Command |
Description |
Status |
stella evidence export |
Export evidence bundle (--bundle, --format, --compression) |
Implemented |
stella evidence verify |
Verify bundle (--offline, --rekor-key) |
Implemented |
stella evidence status |
Bundle status check |
Implemented |
UI Routes (Evidence)
| Route |
Feature |
Status |
/evidence-export |
Evidence bundle management and export |
Implemented |
/evidence-thread |
Evidence thread visualization |
Implemented |
/findings |
Findings ledger with triage |
Implemented |
Determinism & Replay (Replay, Signals, HLC)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Hybrid Logical Clock |
Pro/Ent |
HybridLogicalClock |
HybridLogicalClock.cs, HlcTimestamp.cs |
- |
- |
Implemented |
| Canonical JSON (RFC 8785) |
Pro/Ent |
Canonical.Json |
CanonJson.cs |
- |
- |
Implemented |
| Replay Manifests (V1/V2) |
Pro/Ent |
Replay.Core |
ReplayManifest.cs, KnowledgeSnapshot.cs |
stella scan replay |
- |
Implemented |
| Evidence Weighted Scoring |
Pro/Ent |
Signals |
EvidenceWeightedScoreCalculator.cs (6 factors) |
- |
- |
Implemented |
| Timeline Events |
Pro/Ent |
Eventing |
TimelineEvent.cs, ITimelineEventEmitter.cs |
- |
- |
Implemented |
| Replay Proofs |
Pro/Ent |
Replay.Core |
ReplayProof.cs, ReplayManifestValidator.cs |
stella prove |
- |
Implemented |
| Deterministic Event IDs |
Pro/Ent |
Eventing |
EventIdGenerator.cs (SHA-256 based) |
- |
- |
Implemented |
| Attested Reduction |
Pro/Ent |
Signals |
Short-circuit rules for anchored VEX |
- |
- |
Implemented |
Evidence Weighted Scoring (6 Factors)
| Factor |
Symbol |
Weight |
Description |
| Reachability |
RCH |
Configurable |
Static/runtime reachability |
| Runtime |
RTS |
Configurable |
Runtime telemetry |
| Backport |
BKP |
Configurable |
Backport evidence |
| Exploit |
XPL |
Configurable |
Exploit likelihood (EPSS) |
| Source Trust |
SRC |
Configurable |
Feed trustworthiness |
| Mitigations |
MIT |
Configurable |
Mitigation evidence (reduces score) |
CLI Commands (Replay)
| Command |
Description |
Status |
stella scan replay |
Deterministic verdict reproduction |
Implemented |
stella prove |
Generate replay proofs |
Implemented |
stella verify --proof |
Verify replay proofs |
Implemented |
Operations (Scheduler, Orchestrator, TaskRunner, TimelineIndexer)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Job Scheduling |
Pro/Ent |
Scheduler |
IGraphJobService.cs, RunEndpoints.cs |
- |
/ops/scheduler |
Implemented |
| Impact Targeting |
Pro/Ent |
Scheduler |
IImpactIndex.cs (Roaring bitmaps) |
- |
- |
Implemented |
| Job Orchestration |
Pro/Ent |
Orchestrator |
IJobRepository.cs, Job.cs |
- |
/orchestrator |
Implemented |
| Dead Letter Queue |
Pro/Ent |
Orchestrator |
DeadLetterEntry.cs, DeadLetterEndpoints.cs |
- |
/orchestrator |
Implemented |
| Task Pack Execution |
Pro/Ent |
TaskRunner |
ITaskRunnerClient.cs, PackRunWorkerService.cs |
- |
- |
Implemented |
| Plan-Hash Binding |
Pro/Ent |
TaskRunner |
Deterministic execution validation |
- |
- |
Implemented |
| Timeline Indexing |
Pro/Ent |
TimelineIndexer |
ITimelineQueryService.cs, TimelineEventView.cs |
- |
- |
Implemented |
| Lease Management |
Pro/Ent |
Orchestrator |
LeaseNextAsync(), ExtendLeaseAsync() |
- |
- |
Implemented |
API Endpoints (Operations)
Scheduler:
POST /api/v1/scheduler/runs - Create runGET /api/v1/scheduler/runs/{runId}/stream - SSE streamPOST /api/v1/scheduler/runs/preview - Dry-run preview
Orchestrator:
GET /api/v1/orchestrator/jobs - List jobsGET /api/v1/orchestrator/dag - Job DAGGET /api/v1/orchestrator/deadletter - Dead letter queueGET /api/v1/orchestrator/kpi - KPI metrics
TaskRunner:
POST /api/runs - Create pack runGET /api/runs/{runId}/logs - SSE log streamPOST /api/runs/{runId}/approve - Approval decision
UI Routes (Operations)
| Route |
Feature |
Status |
/ops/scheduler |
Scheduler runs and impact preview |
Implemented |
/orchestrator |
Job dashboard and dead letters |
Implemented |
Release Orchestration (ReleaseOrchestrator)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Promotion Workflows |
Enterprise |
ReleaseOrchestrator |
GateModels.cs, StepModels.cs |
- |
/releases |
Implemented |
| Integration Hub |
Enterprise |
ReleaseOrchestrator |
IIntegrationManager.cs |
- |
/integrations |
Implemented |
| Deployment Agents |
Enterprise |
Agent.Core |
IAgentCapability.cs, ComposeCapability.cs |
- |
- |
Implemented |
| Plugin System (3-Surface) |
Enterprise |
ReleaseOrchestrator.Plugin |
IStepProviderCapability.cs, IGateProviderCapability.cs |
- |
/plugins |
Implemented |
| Gate Evaluation |
Enterprise |
ReleaseOrchestrator |
IGateEvaluator.cs |
- |
/releases |
Implemented |
| Step Execution |
Enterprise |
ReleaseOrchestrator |
IStepExecutor.cs |
- |
- |
Implemented |
| Connector Invoker |
Enterprise |
ReleaseOrchestrator |
IConnectorInvoker.cs |
- |
- |
Implemented |
Integration Types
| Type |
Description |
Examples |
| Scm |
Source Control |
GitHub, GitLab, Gitea |
| Ci |
Continuous Integration |
Jenkins, GitHub Actions |
| Registry |
Container Registry |
Docker Hub, Harbor, ACR, ECR, GCR |
| Vault |
Secrets |
HashiCorp Vault, Azure Key Vault |
| Notify |
Notifications |
Slack, Teams, Email, Webhooks |
| SettingsStore |
Config |
Consul, etcd, Parameter Store |
Deployment Agent Types
| Agent |
Key Files |
Tasks |
| Docker Compose |
ComposeCapability.cs |
pull, up, down, scale, health-check, ps |
| SSH/WinRM |
(planned) |
Remote execution |
| ECS |
(planned) |
AWS ECS deployment |
| Nomad |
(planned) |
HashiCorp Nomad |
Auth & Access Control (Authority, Registry)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| OAuth2/OIDC Token Service |
Free/Pro/Ent |
Authority |
IStellaOpsTokenClient.cs |
stella auth |
/login |
Implemented |
| DPoP (Proof-of-Possession) |
Pro/Ent |
Authority |
DPoP header injection |
- |
- |
Implemented |
| mTLS Certificate Binding |
Enterprise |
Authority |
cnf.x5t#S256 tokens |
- |
- |
Implemented |
| 75+ Authorization Scopes |
Pro/Ent |
Authority |
StellaOpsScopes.cs |
- |
- |
Implemented |
| Registry Token Service |
Pro/Ent |
Registry |
RegistryTokenIssuer.cs |
- |
- |
Implemented |
| Plan-Based Authorization |
Pro/Ent |
Registry |
PlanRegistry.cs |
- |
- |
Implemented |
| LDAP Integration |
Enterprise |
Authority.Plugin.Ldap |
LDAP connector |
- |
/admin |
Implemented |
| Device Code Flow |
Pro/Ent |
Authority |
CLI headless login |
stella auth login |
- |
Implemented |
Authentication Flows
| Flow |
Use Case |
| Client Credentials |
Service-to-service |
| Device Code |
CLI headless login |
| Authorization Code + PKCE |
Web UI browser login |
| DPoP Handshake |
Proof-of-possession for all API calls |
Scope Categories
| Category |
Example Scopes |
| Signer |
signer.sign |
| Scanner |
scanner:scan, scanner:export |
| VEX |
vex:read, vex:ingest |
| Policy |
policy:author, policy:approve, policy:publish |
| Authority Admin |
authority:tenants.write, authority:roles.write |
Notifications & Integrations (Notify, Notifier, Integrations, Zastava)
| Feature |
Tiers |
Module |
Key Files |
CLI |
UI |
Status |
| Multi-Channel Notifications |
Pro/Ent |
Notify |
NotifyChannel.cs, NotifyEvent.cs |
- |
/notifications |
Implemented |
| Rule-Based Routing |
Pro/Ent |
Notify |
NotifyRule.cs, INotifyRuleEvaluator.cs |
- |
/notifications |
Implemented |
| Incident Correlation |
Pro/Ent |
Notifier |
ICorrelationEngine.cs |
- |
/incidents |
Implemented |
| Escalation Policies |
Pro/Ent |
Notifier |
EscalationEndpoints.cs |
- |
/notifications |
Implemented |
| Storm Breaker |
Pro/Ent |
Notifier |
StormBreakerEndpoints.cs |
- |
- |
Implemented |
| External Integrations |
Enterprise |
Integrations |
IIntegrationConnectorPlugin.cs |
- |
/integrations |
Implemented |
| Kubernetes Admission |
Enterprise |
Zastava |
AdmissionEndpoint.cs, AdmissionDecision.cs |
- |
- |
Implemented |
| Runtime Event Collection |
Enterprise |
Zastava |
RuntimeEvent.cs, RuntimeEventFactory.cs |
- |
- |
Implemented |
Notification Channels (10 Types)
| Channel |
Adapter |
Status |
| Slack |
SlackChannelAdapter.cs |
Implemented |
| Teams |
ChatWebhookChannelAdapter.cs |
Implemented |
| Email |
EmailChannelAdapter.cs |
Implemented |
| Webhook |
ChatWebhookChannelAdapter.cs |
Implemented |
| PagerDuty |
PagerDutyChannelAdapter.cs |
Implemented |
| OpsGenie |
OpsGenieChannelAdapter.cs |
Implemented |
| CLI |
CliChannelAdapter.cs |
Implemented |
| InApp |
InAppChannelAdapter.cs |
Implemented |
| InAppInbox |
InAppInboxChannelAdapter.cs |
Implemented |
| Custom |
Plugin-based |
Implemented |
Runtime Event Types (Zastava)
| Event Kind |
Description |
| ContainerStart |
Container lifecycle start |
| ContainerStop |
Container lifecycle stop |
| Drift |
Filesystem/binary changes |
| PolicyViolation |
Policy rule breach |
| AttestationStatus |
Signature/attestation verification |
Summary Statistics
| Category |
Count |
| Total Features in Matrix |
~200 original |
| Discovered Features |
200+ additional |
| CLI Commands |
80+ |
| UI Routes |
75+ |
| API Endpoints |
500+ |
| Service Interfaces |
300+ |
| Language Analyzers |
11+ |
| Advisory Connectors |
33+ |
| Notification Channels |
10 |
| Crypto Profiles |
8 |
| Policy Gate Types |
10+ |
| Risk Score Providers |
6 |
| Attestation Predicates |
25+ |
Document generated via automated feature extraction from Stella Ops codebase (20,723+ .cs files across 1,024 projects)
