Release Orchestrator
Central release control plane for non-Kubernetes container estates.
Status: Planned (not yet implemented) Source: Full Architecture Specification
Purpose
The Release Orchestrator extends Stella Ops from a vulnerability scanning platform into Stella Ops Suite — a unified release control plane for non-Kubernetes container environments. It integrates:
- Existing capabilities: SBOM generation, reachability-aware vulnerability analysis, VEX support, policy engine, evidence locker, deterministic replay
- New capabilities: Environment management, release orchestration, promotion workflows, deployment execution, progressive delivery, audit-grade release governance
Scope
| In Scope | Out of Scope |
|---|---|
| Non-K8s container deployments (Docker, Compose, ECS, Nomad) | Kubernetes deployments (use ArgoCD, Flux) |
| Release identity via OCI digests | Tag-based release identity |
| Plugin-extensible integrations | Hard-coded vendor integrations |
| SSH/WinRM + agent-based deployment | Cloud-native serverless deployments |
| L4/L7 traffic management via router plugins | Built-in service mesh |
Documentation Structure
Design & Principles
- Design Principles — Core principles and invariants
- Key Decisions — Architectural decision record
Implementation
- Implementation Guide — .NET 10 patterns and best practices
- Test Structure — Test organization and guidelines
Module Architecture
- Module Overview — All modules and themes
- Integration Hub (INTHUB) — External integrations
- Environment Manager (ENVMGR) — Environments and targets
- Release Manager (RELMAN) — Release bundles and versions
- Workflow Engine (WORKFL) — DAG execution
- Promotion Manager (PROMOT) — Approvals and gates
- Deploy Orchestrator (DEPLOY) — Deployment execution
- Agents (AGENTS) — Deployment agents
- Progressive Delivery (PROGDL) — A/B and canary
- Release Evidence (RELEVI) — Evidence packets
- Plugin System (PLUGIN) — Plugin infrastructure
Data Model
- Database Schema — PostgreSQL schema specification
- Entity Definitions — Entity descriptions
API Specification
- API Overview — API design principles
- Environment APIs — Environment endpoints
- Release APIs — Release endpoints
- Promotion APIs — Promotion endpoints
- Workflow APIs — Workflow endpoints
- Agent APIs — Agent endpoints
- WebSocket APIs — Real-time endpoints
Workflow Engine
- Template Structure — Workflow template specification
- Execution State Machine — Workflow state machine
- Promotion State Machine — Promotion state machine
Security
- Security Overview — Security principles
- Authentication & Authorization — AuthN/AuthZ
- Agent Security — Agent security model
- Threat Model — Threats and mitigations
- Audit Trail — Audit logging
Integrations
- Integration Overview — Integration types
- Connector Interface — Connector specification
- Webhook Architecture — Webhook handling
- CI/CD Patterns — CI/CD integration patterns
Deployment
- Deployment Overview — Architecture overview
- Deployment Strategies — Deployment strategies
- Agent-Based Deployment — Agent deployment
- Agentless Deployment — SSH/WinRM deployment
- Artifact Generation — Generated artifacts
Progressive Delivery
- Progressive Overview — Progressive delivery architecture
- A/B Releases — A/B release models
- Canary Controller — Canary implementation
- Router Plugins — Traffic routing plugins
UI/UX
- Dashboard Specification — Dashboard screens
- Workflow Editor — Workflow editor
- Screen Reference — Key UI screens
Operations
- Metrics — Metrics specification
- Logging — Logging patterns
- Tracing — Distributed tracing
- Alerting — Alert rules
Implementation
- Roadmap — Implementation phases
- Resource Requirements — Sizing
Appendices
- Glossary — Term definitions
- Configuration Reference — Configuration options
- Error Codes — API error codes
- Evidence Schema — Evidence packet format
Quick Reference
Key Principles
- Digest-first release identity — Releases are immutable OCI digests, not tags
- Evidence for every decision — Every promotion/deployment produces sealed evidence
- Pluggable everything, stable core — Integrations are plugins; core is stable
- No feature gating — All plans include all features
- Offline-first operation — Core works in air-gapped environments
- Immutable generated artifacts — Every deployment generates stored artifacts
Platform Themes
| Theme | Purpose |
|---|---|
| INTHUB | Integration hub — external system connections |
| ENVMGR | Environment management — environments, targets, agents |
| RELMAN | Release management — components, versions, releases |
| WORKFL | Workflow engine — DAG execution, steps |
| PROMOT | Promotion — approvals, gates, decisions |
| DEPLOY | Deployment — execution, artifacts, rollback |
| AGENTS | Agents — Docker, Compose, ECS, Nomad |
| PROGDL | Progressive delivery — A/B, canary |
| RELEVI | Evidence — packets, stickers, audit |
| PLUGIN | Plugins — registry, loader, SDK |