# 4 · Feature Matrix — Stella Ops
(rev 2.0 · 14 Jul 2025)
| Category | Capability | Free Tier (≤ 333 scans / day) | Community Plug‑in | Commercial Add‑On | Notes / ETA |
|---|---|---|---|---|---|
| SBOM Ingestion | Trivy‑JSON, SPDX‑JSON, CycloneDX‑JSON | ✅ | — | — | Auto‑detect on upload |
| Delta‑SBOM Cache | ✅ | — | — | Warm scans < 1 s | |
| Scanning | CVE lookup via local DB | ✅ | — | — | Update job ships weekly feeds |
| Licence‑risk detection | ⏳ (roadmap Q4‑2025) | — | — | SPDX licence list | |
| Policy Engine | YAML rules | ✅ | — | — | In‑UI editor |
| OPA / Rego | ⏳ (β Q1‑2026) | ✅ plug‑in | — | Plug‑in enables Rego | |
| Registry | Anonymous internal registry | ✅ | — | — | StellaOps.Registry image |
| Attestation | Cosign signing | ⏳ (Q1‑2026) | — | — | Requires StellaOpsAttestor |
| SLSA provenance v1.0 | — | — | ⏳ (commercial 2026) | Enterprise need | |
| Rekor transparency log | — | ✅ plug‑in | — | Air‑gap replica support | |
| Quota & Throttling | 333 scans/day soft limit | ✅ | — | — | Yellow banner at 200, wait‑wall post‑limit |
Usage API (/quota) |
✅ | — | — | CI can poll remaining scans | |
| User Interface | Dark / light mode | ✅ | — | — | Auto‑detect OS theme |
| Russian localisation | ✅ | — | — | Default if Accept‑Language: ru |
|
| Audit trail | ✅ | — | — | Mongo history | |
| Deployment | Docker Compose bundle | ✅ | — | — | Single‑node |
| Helm chart (K8s) | ✅ | — | — | Horizontal scaling | |
| High‑availability split services | — | — | ✅ (Add‑On) | HA Redis & Mongo | |
| Extensibility | .NET hot‑load plug‑ins | ✅ | N/A | — | AGPL reference SDK |
| Community plug‑in marketplace | — | ⏳ (β Q2‑2026) | — | Moderated listings | |
| Telemetry | Opt‑in anonymous metrics | ✅ | — | — | Required for quota satisfaction KPI |
| Quota & Tokens | Client‑JWT issuance | ✅ (online 12 h token) | — | — | /connect/token |
| Offline Client‑JWT (30 d) | ✅ via OUK | — | — | Refreshed monthly in OUK |
Legend: ✅ = Included ⏳ = Planned — = Not applicable
Rows marked “Commercial Add‑On” are optional paid components shipping outside the AGPL‑core; everything else is FOSS.
Last updated: 14 Jul 2025 (quota rev 2.0).