Stella Ops Road‑map
Release cadence is fixed; scope is frozen once a version enters beta. Progress is tracked openly in the issue tracker.
v0.1 α
Late 2025
- SBOM‑first engine (CycloneDX 1.5 & SPDX 2.3 JSON) with Δ‑SBOM warm scans < 5 s on a 4‑vCPU runner.
- Angular 20 UI (dashboard, reports, admin).
- Vulnerability‑feed merger for local CVE databases.
- Modular .NET 10 LTS core — start‑up‑time plug‑ins with a public SDK.
v0.2 β
Q1 2026
- Nightly re‑scan of previously “green” SBOMs.
- Docker‑registry bulk scanner — audit entire OCI registries.
- Installer one‑liner that generates Docker Compose files & secrets.
- JSON & SARIF outputs for CI pipelines.
v0.3 β
Q3 2026
- Policy‑as‑code engine (YAML / Rego) with admission‑style hooks.
- Zastava scanner — blocks non‑approved base images.
- Cosign‑signed releases + SBOM — verifiable provenance out‑of‑the‑box. SLSA Level 3 provenance on every artefact.
- Air‑gap ready — Offline Kit support. Offline Update Kit auto‑import CLI with delta patches every 24 h.
v1.0 GA
Q4 2026
- AI advisor — natural‑language remediation & prioritisation.
- TLS abstraction: TLS 1.3 baseline with pluggable sovereign providers (like SM2/SM3 or as law jurisdiction).
- LDAP / Active Directory SSO with role‑based access.
- 33 scans/day anonymous; e‑mail token lifts to 333.
Throttling merely slows scans and shows a reminder after 90% daily scan quota; it never blocks.
About the 333‑scan token
• Anonymous mode: 33 scans per UTC‑day.
• With a free e‑mail token: 333 scans.
• At 200 daily scans a polite reminder appears; performance is throttled but scans continue.
• Requestor e‑mail and IP are retained for up to seven days for abuse checks, then hashed and purged.