Sovereign Mode

Why organisations demand sovereignty

• Regulated sectors — finance, defence and national cloud regions forbid outbound traffic or foreign telemetry.
• Regional vulnerability feeds — local databases such as OSV, GHSA, NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU often publish advisories first.
• Country‑specific crypto —some regions require non‑default algorithm families. Support is exposed via provider plug‑ins where legally permitted.
• Auditability — the entire stack is AGPL‑3.0‑or‑later, signed with Cosign and ships a reproducible SBOM.

Offline scanning & fair‑use quota

Stella Ops works out‑of‑the‑box on an isolated network: 33 scans per UTC day anonymously or 333 scans per day with a free e‑mailed JWT. Throttling never blocks builds; it slows down scans and shows a gentle reminder once you cross 90 % of daily scan quota.

Sovereign TLS providers (v1.0)

Support for regional TLS stacks is exposed via an ITlsProvider interface. Stella Ops does not ship or advertise any country‑specific providers by default; availability depends on customer‑supplied modules and local law.

Implementation via ITlsProvider interface in the .NET 10 LTS core; Angular 20 UI auto‑detects available providers.

Unified global + regional CVE database

The FeedMerge service consolidates multiple public and regional feeds into one signed SQLite snapshot that ships in every Offline Update Kit.

Offline Kit workflow