# 23 · FAQ Matrix — Stella Ops

# FAQ & Support Matrix

A living list of the questions we get every day, plus a compact matrix of what is Supported Now, In Preview, and On the Roadmap (TODO).

## 0 Quick Legend

Mark Meaning
Fully supported in the current release
🅿️ Preview / opt‑in behind a feature flag
🛠 Planned in the ≤ 6 month roadmap (Feature Matrix “TODO”)
🚧 Longer‑term; 9‑12 month horizon or beyond

## 1 General

# Question Short Answer Status
G‑1 Why launch another DevSecOps product? Existing scanners are either SaaS‑only, slow, or lack offline & Russian language feeds. Stella Ops focuses on speed (<5 s), modularity, air‑gap friendliness, and an AGPL code‑base that enterprises can extend in‑house.
G‑2 What tech stack? Backend .NET 9 + Redis; runners are OCI images (Trivy, Syft, Grype). UI Angular 17.
G‑3 License? AGPL v3 for all core repos; plugins inherit if linked.
G‑4 Where do I report bugs? Open an issue in git.stella-ops.ru/stella/core or ping #stella-ops on Matrix.

## 2 Installation & Upgrades

# Question Answer Status
I‑1 How do I pull agent images now? All official images are in the anonymous read‑only registry registry.git.stella-ops.ru. No auth token required for pull. (new)
I‑2 Can I still use GHCR? Images remain mirrored for convenience but are not signed; internal registry is the source of truth.
I‑3 How to upgrade from ≤ v0.8? Re‑generate docker‑compose.yml with the bootstrap script; volumes remain intact. Import legacy mute‑rules via /policy/import.
I‑4 Helm charts? K8s Helm chart is under deploy/helm; undefaulted (requires values.yaml). 🅿️

## 3 SBOM & Scanning

# Question Short Answer Status
--- ---------- ------------- --------
S‑1 Why exactly 333 scans? Covers p95 workload of SMBs (~290 builds/day) while keeping infra costs <$5/mo per user and nudging larger orgs toward Plus/Pro.
S‑2 How is the limit technically enforced? Each /scan request carries a Client‑JWT. The Quota plug‑in atomically increments quota:<token>:<date> in Redis. Soft (5 s) and hard (60 s) wait‑walls ensure fair use.
S‑3 What if my site is fully offline? Every OUK tarball contains a fresh Client‑JWT valid 30 days. Uploading the OUK refreshes the token automatically; no Internet required.
S‑4 Can I pool multiple tokens? Yes, but each token has its own 333/day budget. Use distinct tokens per CI line if you need more throughput.
S‑5 Does quota enforcement affect performance? No. Legitimate scans still complete in < 5 s; blocked scans incur only their specified wait‑wall.
S‑6 Which SBOM formats does Stella emit? Built‑in: trivy-json-v2, spdx-json, cyclonedx-json.
S‑7 What is Δ‑SBOM and how fast is it? Uploads only new layers; P95 ≤ 1 s on cached bases.
S‑8 Windows container scanning? Runner binaries compile on Windows, but layer‑unpack path is unoptimised; full support 🚧. 🚧

## 4 Policy‑as‑Code

# Question Answer Status
P‑1 How are mutes & blocks stored now? Default: YAML (scan-policy.yaml) in Mongo (versioned). Import / export via /policy/{import,export} or Settings → Policies.
P‑2 Why YAML over OPA? YAML lowers entry barrier; advanced users may embed Rego snippets. First‑class Rego evaluation is 🛠. 🛠
P‑3 CLI enforcement? Pass --policy-file path plus --enforce to fail builds on violations. Exit‑code reflects policy gate.
P‑4 Audit history? Every policy change writes an immutable record (audit_policies collection) and appears in UI History tab.

## 5 Registry & Offline Use

# Question Answer Status
R‑1 Is the internal registry mandatory? No, but recommended for sovereignty & signature verification (cosign verify).
R‑2 How to mirror for OUK? oras pull registry.git.stella-ops.ru/library/* --output ./ouk-bundle → import on the target via ctr images import.
R‑3 Does the backend fetch external feeds? Only when --feeds.auto=1; OUK installs run fully offline with NVD packed in the tarball.

## 6 Performance

# Scenario Target Achieved (July 2025)
Local SBOM scan (alpine) ≤ 5 s 4.2 s P95
Δ‑SBOM warm base ≤ 1 s 0.8 s P95
Image unpack (200 MB) ≤ 10 s 8.6 s P95

Numbers measured on 4 vCPU / 8 GB Ubuntu 22.04 runner.

## 7 Security & Compliance

# Question Answer Status
C‑1 How are images signed? Cosign signatures pushed alongside each tag (*.sig). Santech verifies on pull.
C‑2 Supply‑chain attestation (SLSA)? SLSA‑gen at build time and verification in runner is 🛠 (≤ 6 months). 🛠
C‑3 Rekor transparency log? Local Rekor mirror for offline installs is 🚧 (9‑12 months). 🚧
C‑4 TLS ciphers? Default OpenSSL suites; plug‑in allows GOST/SM (via ITlsProvider).

## 8 Road‑map / Future Features

Area Feature ETA Notes
UI Modular route plug‑ins Q1‑2026 Dynamic Angular module loader
SBOM Multi‑arch Δ‑SBOM Q1‑2026 Layer digest per arch
Policy Rego native engine Q1‑2026 opa eval in‑proc
Supply chain SLSA provenance Q1‑2026 Level 3 target
Integrity Rekor mirror Q2‑2026 Air‑gap friendly
Ecosystem Community plugin market Q2‑2026 Curated index in UI
Scale Redis Cluster auto‑shard Q3‑2026 Transparent fail‑over

## 9 Troubleshooting

Symptom Likely Cause Fix
ER_BAD_SV error on scan SBOM format flag mismatch Set correct --sbom-type or let auto‑detect.
Δ‑SBOM still uploads full SBOM Cache cold or digest mismatch Check docker history shows reused layers; bump builder version.
“Policy file invalid” YAML schema error Run /policy/validate endpoint; lint with VS Code schema.
Pull fails with 401 Corporate proxy intercepts registry Mirror to on‑premise Harbor; set --registry flag.

## 10 Licensing & Community

# Question Answer
L‑1 Can I build a commercial fork? AGPL allows commercial services but derivatives must remain AGPL if distributed.
L‑2 Commercial support? Community only today; paid support partners in discussion.
L‑3 How to contribute a plugin? Fork → implement DI contract (IScannerRunner, etc.) → PR + ADR.

## 11 Change Log

Date Highlights
2025‑07‑14 Added internal registry, multi‑format SBOM, Δ‑SBOM, Policy‑as‑Code, updated roadmap (SLSA/Rekor)
2025‑06‑30 Initial public FAQ matrix

(End of FAQ Matrix v2.0)