Evaluation Checklist – 30-Day Adoption Plan
Day 0–1: Kick the Tires
- [ ] Follow the Quickstart to run the first scan and confirm quota headers (
X-Stella-Quota-Remaining). - [ ] Capture the deterministic replay bundle (
stella replay export) to verify SRM evidence. - [ ] Log into the Console, review the explain trace for the latest scan, and test policy waiver creation.
Day 2–7: Prove Fit
- [ ] Import the Offline Update Kit and confirm feeds refresh with no Internet access.
- [ ] Apply a sovereign CryptoProfile matching your regulatory environment (FIPS, eIDAS, GOST, SM).
- [ ] Run policy simulations with your SBOMs using
stella policy simulate --input <sbom>; log explain outcomes for review. - [ ] Validate attestation workflows by exporting DSSE bundles and replaying them on a secondary host.
Day 8–14: Integrate
- [ ] Wire the CLI into CI/CD to gate images using exit codes and
X-Stella-Quota-Remainingtelemetry. - [ ] Configure
StellaOps.Notifywith at least one channel (email/webhook) and confirm digest delivery. - [ ] Map existing advisory/VEX sources to Concelier connectors; note any feeds requiring custom plug-ins.
- [ ] Review
StellaOps.Policy.Engineaudit logs to ensure waiver ownership and expiry meet governance needs.
Day 15–30: Harden & Measure
- [ ] Follow the Security Hardening Guide to rotate keys and enable mTLS across modules.
- [ ] Enable observability pipelines (metrics + OpenTelemetry) to capture scan throughput and policy outcomes.
- [ ] Run performance checks against the Performance Workbook targets; note P95 latencies.
- [ ] Document operational runbooks (install, upgrade, rollback) referencing Release Engineering Playbook.
Decision Gates
| Question | Evidence to collect | Source |
|---|---|---|
| Can we operate fully offline? | Offline kit import logs, quota JWT validation without Internet | Quickstart, Offline Kit guide |
| Are findings explainable and reproducible? | SRM replay results, policy explain traces | Key features, Policy Engine UI |
| Does it meet regional compliance? | CryptoProfile application, Attestor/Rekor mirror configuration | Sovereign crypto docs, Attestor guide |
Next step: once the checklist is green, plan production rollout with module-specific architecture docs under docs/modules/.