4 · Feature Matrix — Stella Ops

(rev 2.0 · 14 Jul 2025)

Category	Capability	Free Tier (≤ 333 scans / day)	Community Plug‑in	Commercial Add‑On	Notes / ETA
SBOM Ingestion	Trivy‑JSON, SPDX‑JSON, CycloneDX‑JSON	✅	—	—	Auto‑detect on upload
	Delta‑SBOM Cache	✅	—	—	Warm scans < 1 s
Scanning	CVE lookup via local DB	✅	—	—	Update job ships weekly feeds
	Licence‑risk detection	⏳ (roadmap Q4‑2025)	—	—	SPDX licence list
Policy Engine	YAML rules	✅	—	—	In‑UI editor
	OPA / Rego	⏳ (β Q1‑2026)	✅ plug‑in	—	Plug‑in enables Rego
Registry	Anonymous internal registry	✅	—	—	`StellaOps.Registry` image
Attestation	Cosign signing	⏳ (Q1‑2026)	—	—	Requires `StellaOpsAttestor`
	SLSA provenance v1.0	—	—	⏳ (commercial 2026)	Enterprise need
	Rekor transparency log	—	✅ plug‑in	—	Air‑gap replica support
Quota & Throttling	333 scans/day soft limit	✅	—	—	Yellow banner at 200, wait‑wall post‑limit
	Usage API (`/quota`)	✅	—	—	CI can poll remaining scans
User Interface	Dark / light mode	✅	—	—	Auto‑detect OS theme
	Additional locale (Cyrillic)	✅	—	—	Default if `Accept‑Language: bg` or any other
	Audit trail	✅	—	—	Mongo history
Deployment	Docker Compose bundle	✅	—	—	Single‑node
	Helm chart (K8s)	✅	—	—	Horizontal scaling
	High‑availability split services	—	—	✅ (Add‑On)	HA Redis & Mongo
Extensibility	.NET hot‑load plug‑ins	✅	N/A	—	AGPL reference SDK
	Community plug‑in marketplace	—	⏳ (β Q2‑2026)	—	Moderated listings
Telemetry	Opt‑in anonymous metrics	✅	—	—	Required for quota satisfaction KPI
Quota & Tokens	Client‑JWT issuance	✅ (online 12 h token)	—	—	`/connect/token`
	Offline Client‑JWT (30 d)	✅ via OUK	—	—	Refreshed monthly in OUK

Legend: ✅ = Included ⏳ = Planned — = Not applicable
Rows marked “Commercial Add‑On” are optional paid components shipping outside the AGPL‑core; everything else is FOSS.

Last updated: 14 Jul 2025 (quota rev 2.0).