stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fda92af9bcbaf6c1677f0d6b13609a8e04222bbc
git.stella-ops.org/docs2/modules/index.md
master fcb5ffe25d feat(scanner): Complete PoE implementation with Windows compatibility fix 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 14:52:08 +02:00

5.1 KiB
Raw Blame History

Modules

Core services

Authority

  • Purpose: issue OpTok tokens with DPoP or mTLS sender constraints.
  • Inputs: client credentials, device code, or auth code.
  • Outputs: JWT access tokens with tenant, audience, and scope claims.
  • Storage: PostgreSQL for client and tenant data, Valkey for DPoP nonce cache.

Signer

  • Purpose: produce DSSE envelopes and enforce Proof of Entitlement (PoE).
  • Inputs: signing requests from trusted services and PoE proof.
  • Outputs: DSSE bundles for SBOMs, reports, and exports.
  • Storage: audit logs only; keys live in KMS or keyless providers.

Attestor

  • Purpose: log DSSE bundles to Rekor and provide verification APIs.
  • Inputs: DSSE bundles from Signer or Scanner.
  • Outputs: Rekor entries and proofs, verification results.
  • Storage: PostgreSQL for receipts and indexes.

Scanner (Web + Worker)

  • Purpose: deterministic SBOM generation, inventory and usage views, diffs.
  • Inputs: image digest or SBOM, analyzer manifests, policy snapshots.
  • Outputs: SBOMs, diffs, reachability graphs, evidence bundles.
  • Storage: RustFS for artifacts, PostgreSQL for metadata, Valkey for queues.

Concelier

  • Purpose: ingest and normalize advisory sources under AOC.
  • Inputs: vendor and ecosystem advisory feeds.
  • Outputs: raw advisory facts, linksets, deterministic exports.
  • Storage: PostgreSQL (vuln schema).

Excititor

  • Purpose: ingest VEX statements under AOC and preserve conflicts.
  • Inputs: OpenVEX, CSAF VEX, CycloneDX VEX.
  • Outputs: normalized VEX observations and consensus views.
  • Storage: PostgreSQL (vex schema).

Policy Engine

  • Purpose: deterministic policy evaluation with explain traces and unknowns.
  • Inputs: SBOM inventory, advisory facts, VEX evidence, reachability.
  • Outputs: verdicts, effective findings, decision traces, derived VEX.
  • Storage: PostgreSQL (policy schema).

Scheduler

  • Purpose: impact selection and analysis-only re-evaluation.
  • Inputs: advisory and VEX deltas, BOM index metadata.
  • Outputs: rescan jobs and delta events.
  • Storage: PostgreSQL (scheduler schema), Valkey for queues.

Notify

  • Purpose: route events to channels with rules and templates.
  • Inputs: scan and scheduler events.
  • Outputs: deliveries to Slack, Teams, email, webhooks.
  • Storage: PostgreSQL (notify schema), Valkey for queues.

Export Center

  • Purpose: deterministic export bundles and offline mirror layouts.
  • Inputs: raw facts, policy outputs, SBOMs and evidence bundles.
  • Outputs: JSON exports, Trivy DB exports, mirror bundles, offline kits.
  • Storage: RustFS and PostgreSQL.

CLI

  • Purpose: automation and verification for scanning, export, and replay.
  • Inputs: user commands and offline bundles.
  • Outputs: API calls, local verification reports.

UI and Console

  • Purpose: operator console for scans, policy, VEX, and notifications.
  • Inputs: API responses, SSE streams.
  • Outputs: operational workflows and audit views.

Advisory AI

  • Purpose: evidence-grounded analysis with guardrails.
  • Inputs: SBOM and evidence bundles.
  • Outputs: structured findings and guidance artifacts.

Orchestrator

  • Purpose: job DAGs and pack runs for automation.
  • Inputs: job definitions and run requests.
  • Outputs: run status, job artifacts.
  • Storage: PostgreSQL (orchestrator schema).

Registry Token Service

  • Purpose: issue tokens for internal registry and scoped pulls.
  • Inputs: client credentials.
  • Outputs: short-lived registry tokens.

Graph Explorer

  • Purpose: graph indexing and exploration for evidence and relationships.
  • Inputs: graph snapshots and overlays.
  • Outputs: graph queries and exports.

VEX Lens

  • Purpose: reproducible consensus views over VEX statements.
  • Inputs: normalized VEX observations and trust weights.
  • Outputs: consensus status and evidence refs.

Vulnerability Explorer

  • Purpose: triage workflows and evidence ledger views.
  • Inputs: effective findings and Decision Capsules.
  • Outputs: triage actions and audit records.

Telemetry Stack

  • Purpose: metrics, logs, traces, and dashboards.
  • Inputs: service telemetry and audit events.
  • Outputs: dashboards and alerts.

DevOps and Release

  • Purpose: release trains, signing, and distribution workflows.
  • Inputs: build artifacts and manifests.
  • Outputs: signed releases and offline kit bundles.

Platform

  • Purpose: cross-cutting determinism, offline, and identity rules.

CI Recipes

  • Purpose: deterministic CI templates and guardrails.

Zastava

  • Purpose: runtime observer and optional admission enforcement.
  • Inputs: runtime facts and policy verdicts.
  • Outputs: runtime events and admission decisions.

Supporting and adjacent modules

Issuer Directory

  • Trust registry for VEX issuers and keys.

VexHub

  • Aggregation and distribution of VEX statements for downstream consumers.

SBOM Service

  • Deterministic SBOM projections and lineage ledger.

Signals

  • Reachability scoring, unknowns registry, and signal APIs.

TaskRunner

  • Deterministic task pack execution with approvals and evidence capture.

BinaryIndex

  • Binary identity mapping for patch-aware and backport-aware matching.

Benchmark

  • Benchmark harness and ground-truth corpus management.

Gateway and Router (optional)

  • Edge routing and transport abstraction for deployments that require a shared ingress.