stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4a98dfef353e6065bb8daaa43c05943205fd49
git.stella-ops.org/docs/README.md
Vladimir Moushkov 6f8ee8aacb UP
2026-01-30 23:58:25 +02:00

141 lines
6.4 KiB
Markdown
Executable File
Raw Blame History

# Stella Ops Suite Documentation
**Stella Ops Suite** is a centralized, auditable **release control plane** for **non-Kubernetes container estates**. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces **verifiable evidence** for every decision.
Stella is designed for teams who deploy containers via **Docker/Compose, hosts/VMs, and scripted automation** and need **certifiable security + auditable releases** without building a bespoke governance pipeline.
---
## What Stella delivers
### Evidence-grade release governance (outside Kubernetes)
- **Environment promotions** (Dev -> Stage -> Prod) with explicit policy, approvals, and change control.
- **Digest-first release identity**: deployments are tracked by immutable OCI digests so "what is deployed where" is unambiguous.
- **Deterministic decision records**: every gate decision is explainable ("why blocked?") and replayable.
### Reachability-aware security decisioning
- **Deep scanning** produces SBOM + findings + reachability and hybrid reachability evidence.
- **VEX-first decisioning** with consensus and conflict handling across issuers (SBOM/VEX are part of the evidence chain, not a side export).
- **Policy-as-code** with deterministic evaluation and traceable outcomes.
### Verifiability, attestability, and audit export
- **Evidence packets / decision capsules**: hashable, immutable bundles that capture inputs, verdicts, and approvals.
- **Attestations** (DSSE/in-toto, predicates for SBOM/VEX/verdict/reachability; optional Sigstore flows where configured).
- **Audit exports** for compliance review, incident response, and forensic reconstruction.
### Offline-first, sovereign operation
- Built for **air-gapped** and restricted environments: local databases, offline kits/snapshots, and deterministic replay.
- **Regional crypto profiles** (eIDAS/FIPS/GOST/SM and related plugin architecture) to avoid compliance lock-in.
### Toolchain-agnostic integrations
- Integrates with common SCM/CI/registries/secrets managers through **connectors and plugins**.
- Works alongside existing pipelines: scan-on-build, gate-on-promotion, re-evaluate on advisory updates.
---
## Core differentiators (the "why Stella" set)
These concepts appear throughout the docs and are the suite's anchor points:
- **Signed, replayable risk verdicts**: decisions can be re-run deterministically from the same evidence.
- **Decision capsules**: evidence is packaged for audit, not scattered across logs and screenshots.
- **Reachability with portable proofs**: exploitability is evidenced, not asserted.
- **Smart-diff / semantic risk delta**: focus on what materially changed between releases.
- **Unknowns as first-class state**: uncertainty is tracked and budgeted, not hidden.
- **Non-Kubernetes-first**: orchestration and evidence for Compose/hosts/agentless targets as a primary use case.
- **Digest-first release identity**: immutable artifacts, immutable accountability.
For exhaustive capability detail (including planned items), use the Feature Matrix referenced below.
---
## Two levels of documentation
- **High-level (canonical):** curated guides in `docs/*.md`.
- **Detailed (reference):** deep dives under `docs/**` (module dossiers, architecture notes, API contracts/samples, runbooks, schemas).
Entry point: `docs/technical/README.md`.
This documentation set is intentionally consolidated and does not maintain compatibility stubs for old paths.
---
## Start here
### Product understanding
| Goal | Open this |
| --- | --- |
| Understand the suite quickly | `overview.md` |
| Capability cards | `key-features.md` |
| Full capability matrix | `FEATURE_MATRIX.md` |
| Product vision | `product/VISION.md` |
### Getting started
| Goal | Open this |
| --- | --- |
| First run and basic workflows | `quickstart.md` |
| Ingest advisories (Concelier + CLI) | `CONCELIER_CLI_QUICKSTART.md` |
| Console (Web UI) operator guide | `UI_GUIDE.md` |
| Offline / air-gap operations | `OFFLINE_KIT.md` |
### Architecture
| Goal | Open this |
| --- | --- |
| Architecture: high-level overview | `ARCHITECTURE_OVERVIEW.md` |
| Architecture: full reference map | `ARCHITECTURE_REFERENCE.md` |
| Architecture: user flows (UML) | `technical/architecture/user-flows.md` |
| Architecture: module matrix | `technical/architecture/module-matrix.md` |
| Architecture: data flows | `technical/architecture/data-flows.md` |
| Architecture: schema mapping | `technical/architecture/schema-mapping.md` |
| Release Orchestration dossier | `modules/release-orchestrator/architecture.md` |
### Development and operations
| Goal | Open this |
| --- | --- |
| Develop plugins/connectors | `PLUGIN_SDK_GUIDE.md` |
| Security deployment hardening | `SECURITY_HARDENING_GUIDE.md` |
| VEX consensus and issuer trust | `VEX_CONSENSUS_GUIDE.md` |
| Vulnerability Explorer guide | `VULNERABILITY_EXPLORER_GUIDE.md` |
| SBOM determinism guide | `sboms/DETERMINISM.md` |
| Engineering standards (for implementers) | `code-of-conduct/CODE_OF_CONDUCT.md` |
| Testing standards (for QA/automation) | `code-of-conduct/TESTING_PRACTICES.md` |
---
## Detailed indexes
- Technical index (everything): `docs/technical/README.md`
- End-to-end workflow flows: `docs/flows/`
- Module dossiers: `docs/modules/`
- API contracts and samples: `docs/api/`
- Architecture notes / ADRs: `docs/technical/architecture/`, `docs/technical/adr/`
- Operations and deployment: `docs/operations/`
- Air-gap workflows: `docs/modules/airgap/guides/`
- Security deep dives: `docs/security/`
- Benchmarks and fixtures: `docs/benchmarks/`, `docs/assets/`
- Product advisories: `docs/product/advisories/`
---
## License and notices
- Project license (BUSL-1.1 + Additional Use Grant): `LICENSE`
- Third-party notices: `NOTICE.md`
- Legal and licensing index: `docs/legal/README.md`
- Full dependency inventory: `docs/legal/THIRD-PARTY-DEPENDENCIES.md`
- Compatibility guidance: `docs/legal/LICENSE-COMPATIBILITY.md`
- Cryptography compliance: `docs/legal/crypto-compliance-review.md`
---
## Design principles (non-negotiable)
- **Offline-first:** core operations must work in restricted/air-gapped environments.
- **Deterministic replay:** same inputs yield the same outputs (stable ordering, canonical hashing).
- **Evidence-linked decisions:** every decision links to concrete evidence artifacts.
- **Digest-first identity:** releases are immutable OCI digests, not mutable tags.
- **Pluggable integrations:** connectors and steps are extensible; the core evidence chain stays stable.
Reference in New Issue View Git Blame Copy Permalink