15b4a1de6a
- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
39 lines
2.4 KiB
Markdown
39 lines
2.4 KiB
Markdown
# Evaluation Checklist – 30-Day Adoption Plan
|
||
|
||
## Day 0–1: Kick the Tires
|
||
|
||
- [ ] Follow the [Quickstart](../quickstart.md) to run the first scan and confirm quota headers (`X-Stella-Quota-Remaining`).
|
||
- [ ] Capture the deterministic replay bundle (`stella replay export`) to verify SRM evidence.
|
||
- [ ] Log into the Console, review the explain trace for the latest scan, and test policy waiver creation.
|
||
|
||
## Day 2–7: Prove Fit
|
||
|
||
- [ ] Import the [Offline Update Kit](../24_OFFLINE_KIT.md) and confirm feeds refresh with no Internet access.
|
||
- [ ] Apply a sovereign CryptoProfile matching your regulatory environment (FIPS, eIDAS, GOST, SM).
|
||
- [ ] Run policy simulations with your SBOMs using `stella policy simulate --input <sbom>`; log explain outcomes for review.
|
||
- [ ] Validate attestation workflows by exporting DSSE bundles and replaying them on a secondary host.
|
||
|
||
## Day 8–14: Integrate
|
||
|
||
- [ ] Wire the CLI into CI/CD to gate images using exit codes and `X-Stella-Quota-Remaining` telemetry.
|
||
- [ ] Configure `StellaOps.Notify` with at least one channel (email/webhook) and confirm digest delivery.
|
||
- [ ] Map existing advisory/VEX sources to Concelier connectors; note any feeds requiring custom plug-ins.
|
||
- [ ] Review `StellaOps.Policy.Engine` audit logs to ensure waiver ownership and expiry meet governance needs.
|
||
|
||
## Day 15–30: Harden & Measure
|
||
|
||
- [ ] Follow the [Security Hardening Guide](../17_SECURITY_HARDENING_GUIDE.md) to rotate keys and enable mTLS across modules.
|
||
- [ ] Enable observability pipelines (metrics + OpenTelemetry) to capture scan throughput and policy outcomes.
|
||
- [ ] Run performance checks against the [Performance Workbook](../12_PERFORMANCE_WORKBOOK.md) targets; note P95 latencies.
|
||
- [ ] Document operational runbooks (install, upgrade, rollback) referencing [Release Engineering Playbook](../13_RELEASE_ENGINEERING_PLAYBOOK.md).
|
||
|
||
## Decision Gates
|
||
|
||
| Question | Evidence to collect | Source |
|
||
|----------|--------------------|--------|
|
||
| Can we operate fully offline? | Offline kit import logs, quota JWT validation without Internet | Quickstart, Offline Kit guide |
|
||
| Are findings explainable and reproducible? | SRM replay results, policy explain traces | Key features, Policy Engine UI |
|
||
| Does it meet regional compliance? | CryptoProfile application, Attestor/Rekor mirror configuration | Sovereign crypto docs, Attestor guide |
|
||
|
||
**Next step:** once the checklist is green, plan production rollout with module-specific architecture docs under `docs/modules/`.
|