Legal FAQ — Free‑Tier Quota & AGPL Compliance

Operational behaviour (limits, counters, delays) is documented in
33_333_QUOTA_OVERVIEW.md.
This page covers only the legal aspects of offering Stella Ops as a service or embedding it into another product while the free‑tier limits are in place.

1 · Does enforcing a quota violate the AGPL?

No.
AGPL‑3.0 does not forbid implementing usage controls in the program itself. Recipients retain the freedoms to run, study, modify and share the software. The Stella Ops quota:

  • Is enforced solely at the service layer (Redis counters) — the source code implementing the quota is published under AGPL‑3.0‑or‑later.
  • Never disables functionality; it introduces time delays only after the free allocation is exhausted.
  • Can be bypassed entirely by rebuilding from source and removing the enforcement middleware — the licence explicitly allows such modifications.

Therefore the quota complies with §§ 0 & 2 of the AGPL.

2 · Can I redistribute Stella Ops with the quota removed?

Yes, provided you:

  1. Publish the full corresponding source code of your modified version
    (AGPL § 13 & § 5c), and
  2. Clearly indicate the changes (AGPL § 5a).

You may retain or relax the limits, or introduce your own tiering, as long as the complete modified source is offered to every user of the service.

3 · Embedding in a proprietary appliance

You may ship Stella Ops inside a hardware or virtual appliance only if the entire combined work is distributed under AGPL‑3.0‑or‑later and you supply the full source code for both the scanner and your integration glue.

Shipping an AGPL component while keeping the rest closed‑source violates § 13 (“remote network interaction”).

4 · SaaS redistribution

Operating a public SaaS that offers Stella Ops scans to third parties triggers the network‑use clause. You must:

  • Provide the complete, buildable source of your running version — including quota patches or UI branding.
  • Present the offer conspicuously (e.g. a “Source Code” footer link).

Failure to do so breaches § 13 and can terminate your licence under § 8.

5 · Is e‑mail collection for the JWT legal?

  • Purpose limitation (GDPR Art. 5‑1 b): address is used only to deliver the JWT or optional release notes.
  • Data minimisation (Art. 5‑1 c): no name, IP or marketing preferences are required; a blank e‑mail body suffices.
  • Storage limitation (Art. 5‑1 e): addresses are deleted or hashed after ≤ 7 days unless the sender opts into updates.

Hence the token workflow adheres to GDPR principles.

6 · Change‑log

VersionDateNotes
2.02025‑07‑16Removed runtime quota details; linked to new authoritative overview.
1.02024‑12‑20Initial legal FAQ.