Stella Ops Suite Documentation

Stella Ops Suite is a centralized, auditable release control plane for non-Kubernetes container estates. It orchestrates environment promotions, gates releases using reachability-aware security and policy, and produces verifiable evidence for every decision.

Stella is designed for teams who deploy containers via Docker/Compose, hosts/VMs, and scripted automation and need certifiable security + auditable releases without building a bespoke governance pipeline.

What Stella delivers

Evidence-grade release governance (outside Kubernetes)

Environment promotions (Dev -> Stage -> Prod) with explicit policy, approvals, and change control.
Digest-first release identity: deployments are tracked by immutable OCI digests so “what is deployed where” is unambiguous.
Deterministic decision records: every gate decision is explainable (“why blocked?”) and replayable.

Reachability-aware security decisioning

Deep scanning produces SBOM + findings + reachability and hybrid reachability evidence.
VEX-first decisioning with consensus and conflict handling across issuers (SBOM/VEX are part of the evidence chain, not a side export).
Policy-as-code with deterministic evaluation and traceable outcomes.

Verifiability, attestability, and audit export

Evidence packets / decision capsules: hashable, immutable bundles that capture inputs, verdicts, and approvals.
Attestations (DSSE/in-toto, predicates for SBOM/VEX/verdict/reachability; optional Sigstore flows where configured).
Audit exports for compliance review, incident response, and forensic reconstruction.

Offline-first, sovereign operation

Built for air-gapped and restricted environments: local databases, offline kits/snapshots, and deterministic replay.
Regional crypto profiles (eIDAS/FIPS/GOST/SM and related plugin architecture) to avoid compliance lock-in.

Toolchain-agnostic integrations

Integrates with common SCM/CI/registries/secrets managers through connectors and plugins.
Works alongside existing pipelines: scan-on-build, gate-on-promotion, re-evaluate on advisory updates.

Core differentiators (the “why Stella” set)

These concepts appear throughout the docs and are the suite’s anchor points:

Signed, replayable risk verdicts: decisions can be re-run deterministically from the same evidence.
Decision capsules: evidence is packaged for audit, not scattered across logs and screenshots.
Reachability with portable proofs: exploitability is evidenced, not asserted.
Smart-diff / semantic risk delta: focus on what materially changed between releases.
Unknowns as first-class state: uncertainty is tracked and budgeted, not hidden.
Non-Kubernetes-first: orchestration and evidence for Compose/hosts/agentless targets as a primary use case.
Digest-first release identity: immutable artifacts, immutable accountability.

For exhaustive capability detail (including planned items), use the Feature Matrix referenced below.

Two levels of documentation

High-level (canonical): curated guides in docs/*.md.
Detailed (reference): deep dives under docs/** (module dossiers, architecture notes, API contracts/samples, runbooks, schemas).
Entry point: docs/technical/README.md.

This documentation set is intentionally consolidated and does not maintain compatibility stubs for old paths.

Start here

Product understanding

Goal	Open this
Understand the suite quickly	`overview.md`
Capability cards	`key-features.md`
Full capability matrix	`FEATURE_MATRIX.md`
Product vision	`product/VISION.md`
Roadmap (priorities + definition of “done”)	`ROADMAP.md`

Getting started

Goal	Open this
First run and basic workflows	`quickstart.md`
Ingest advisories (Concelier + CLI)	`CONCELIER_CLI_QUICKSTART.md`
Console (Web UI) operator guide	`UI_GUIDE.md`
Offline / air-gap operations	`OFFLINE_KIT.md`

Architecture

Goal	Open this
Architecture: high-level overview	`ARCHITECTURE_OVERVIEW.md`
Architecture: full reference map	`ARCHITECTURE_REFERENCE.md`
Architecture: user flows (UML)	`technical/architecture/user-flows.md`
Architecture: module matrix	`technical/architecture/module-matrix.md`
Architecture: data flows	`technical/architecture/data-flows.md`
Architecture: schema mapping	`technical/architecture/schema-mapping.md`
Release Orchestration dossier	`modules/release-orchestrator/architecture.md`

Development and operations

Goal	Open this
Develop plugins/connectors	`PLUGIN_SDK_GUIDE.md`
Security deployment hardening	`SECURITY_HARDENING_GUIDE.md`
VEX consensus and issuer trust	`VEX_CONSENSUS_GUIDE.md`
Vulnerability Explorer guide	`VULNERABILITY_EXPLORER_GUIDE.md`
SBOM determinism guide	`sboms/DETERMINISM.md`
Engineering standards (for implementers)	`code-of-conduct/CODE_OF_CONDUCT.md`
Testing standards (for QA/automation)	`code-of-conduct/TESTING_PRACTICES.md`

Detailed indexes

Technical index (everything): docs/technical/README.md
End-to-end workflow flows: docs/flows/
Module dossiers: docs/modules/
API contracts and samples: docs/api/
Architecture notes / ADRs: docs/technical/architecture/, docs/technical/adr/
Operations and deployment: docs/operations/
Air-gap workflows: docs/modules/airgap/guides/
Security deep dives: docs/security/
Benchmarks and fixtures: docs/benchmarks/, docs/assets/
Product advisories: docs/product/advisories/

License and notices

Project license (BUSL-1.1 + Additional Use Grant): LICENSE
Third-party notices: NOTICE.md
Legal and licensing index: docs/legal/README.md
Full dependency inventory: docs/legal/THIRD-PARTY-DEPENDENCIES.md
Compatibility guidance: docs/legal/LICENSE-COMPATIBILITY.md
Cryptography compliance: docs/legal/crypto-compliance-review.md

Design principles (non-negotiable)

Offline-first: core operations must work in restricted/air-gapped environments.
Deterministic replay: same inputs yield the same outputs (stable ordering, canonical hashing).
Evidence-linked decisions: every decision links to concrete evidence artifacts.
Digest-first identity: releases are immutable OCI digests, not mutable tags.
Pluggable integrations: connectors and steps are extensible; the core evidence chain stays stable.