fix tests. new product advisories enhancements

docs/legal/SAAS_MSP_GUIDANCE.md

@@ -0,0 +1,356 @@
+# SaaS and MSP Licensing Guidance
+
+**Document Version:** 1.0.0
+**Last Updated:** 2026-01-25
+
+This document provides detailed guidance on Stella Ops licensing for SaaS providers,
+Managed Service Providers (MSPs), and hosting scenarios. For the full legal terms,
+see `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`.
+
+---
+
+## Overview
+
+The Stella Ops BUSL-1.1 license with Community Plugin Grant restricts providing Stella
+Ops as a commercial hosted service to third parties. This document clarifies what is
+and isn't permitted under different hosting scenarios.
+
+**Key Principle:** The restriction targets commercial offerings that compete with
+Stella Ops' own hosted services, not legitimate internal use or isolated customer
+deployments.
+
+---
+
+## 1. Prohibited: Multi-Tenant SaaS Offerings
+
+The following are **NOT permitted** without a commercial license:
+
+### 1.1 Public SaaS Platform
+
+**Prohibited:** Operating a multi-tenant SaaS platform that provides Stella Ops
+functionality to paying customers.
+
+**Example (prohibited):**
+```
+AcmeScan.io
+├── Customer A (paying subscriber)
+├── Customer B (paying subscriber)
+├── Customer C (paying subscriber)
+└── Shared Stella Ops infrastructure
+```
+
+**Why prohibited:** This directly competes with Stella Ops' commercial SaaS offering.
+
+### 1.2 White-Label Hosting
+
+**Prohibited:** Rebranding Stella Ops and selling it as your own hosted product.
+
+**Example (prohibited):**
+```
+"PowerScan Pro" (white-labeled Stella Ops)
+├── Sold as monthly subscription
+├── Marketed as proprietary technology
+└── Runs on shared infrastructure
+```
+
+**Why prohibited:** This is commercial redistribution as a competing service.
+
+### 1.3 Embedded SaaS Features
+
+**Prohibited:** Embedding Stella Ops scanning as a feature in your commercial SaaS product.
+
+**Example (prohibited):**
+```
+AcmeDevPlatform.com (commercial SaaS)
+├── Code repository feature
+├── CI/CD pipeline feature
+├── "Security Scanning" feature <- Powered by embedded Stella Ops
+└── Charged as part of subscription
+```
+
+**Why prohibited:** Stella Ops functionality is being monetized as part of a third-party
+service offering.
+
+---
+
+## 2. Permitted: Internal Use
+
+The following **ARE permitted** under the Community Plugin Grant:
+
+### 2.1 Internal Enterprise Deployment
+
+**Permitted:** Deploying Stella Ops for your organization's internal use.
+
+**Example (permitted):**
+```
+Acme Corp Internal
+├── Development team scans
+├── Security team analysis
+├── Compliance reporting
+└── Accessed only by Acme employees/contractors
+```
+
+**Why permitted:** Internal use for the licensee's own business operations.
+
+### 2.2 Internal Platform Team
+
+**Permitted:** A platform/DevOps team providing Stella Ops to internal development teams.
+
+**Example (permitted):**
+```
+Acme Corp Platform Team
+├── Hosts Stella Ops on internal infrastructure
+├── Provides scanning service to:
+│   ├── Team Alpha (internal)
+│   ├── Team Beta (internal)
+│   └── Team Gamma (internal)
+└── All users are Acme employees
+```
+
+**Why permitted:** All users are within the same organization.
+
+### 2.3 Subsidiary/Affiliate Use
+
+**Permitted:** Parent company hosting for subsidiaries under common control.
+
+**Example (permitted):**
+```
+Acme Holdings
+├── Acme Corp (subsidiary) - uses hosted Stella Ops
+├── Acme Europe (subsidiary) - uses hosted Stella Ops
+└── Acme Asia (subsidiary) - uses hosted Stella Ops
+```
+
+**Why permitted:** Affiliates under common control are treated as one organization.
+
+---
+
+## 3. Permitted with Conditions: MSP Single-Tenant Hosting
+
+Managed Service Providers may host Stella Ops for customers under specific conditions.
+
+### 3.1 Single-Tenant Isolated Deployments
+
+**Permitted (with commercial license):** MSP hosting separate Stella Ops instances for
+each customer.
+
+**Example (permitted with commercial license):**
+```
+AcmeMSP Infrastructure
+├── Customer A Instance (isolated)
+│   ├── Dedicated Stella Ops deployment
+│   ├── Customer A data only
+│   └── Covered by AcmeMSP commercial license
+├── Customer B Instance (isolated)
+│   ├── Dedicated Stella Ops deployment
+│   ├── Customer B data only
+│   └── Covered by AcmeMSP commercial license
+└── No shared infrastructure between customers
+```
+
+**Requirements:**
+- Each instance must be fully isolated
+- MSP must have commercial license covering all instances
+- Or each customer must have their own commercial license
+
+### 3.2 Customer-Licensed Deployments
+
+**Permitted:** MSP managing infrastructure where customer holds the license.
+
+**Example (permitted):**
+```
+AcmeMSP (infrastructure only)
+├── Customer A Infrastructure
+│   ├── Customer A's Stella Ops license
+│   ├── MSP manages infrastructure
+│   └── Customer controls license compliance
+└── Customer B Infrastructure
+    ├── Customer B's Stella Ops license
+    └── MSP manages infrastructure
+```
+
+**Why permitted:** The customer (not MSP) is the licensee; MSP provides only
+infrastructure management.
+
+---
+
+## 4. Gray Areas: Guidance for Common Scenarios
+
+### 4.1 Consulting with Temporary Access
+
+**Scenario:** Security consultant deploys Stella Ops at client site for an engagement.
+
+**Analysis:**
+- If consultant's license: Consultant needs commercial license for third-party use
+- If client's license: Client uses their free tier or commercial license
+
+**Recommendation:** Client should obtain their own license; consultant assists with
+deployment.
+
+### 4.2 Training/Demo Environments
+
+**Scenario:** Providing training environments with Stella Ops to external trainees.
+
+**Analysis:**
+- Temporary, non-production training: Generally permitted under non-production use
+- Ongoing access for trainees: May require commercial license depending on duration
+
+**Recommendation:** Contact legal@stella-ops.org for training program licensing.
+
+### 4.3 Non-Commercial Community Hosting
+
+**Scenario:** Hosting Stella Ops scanning as a free service for community benefit.
+
+The BUSL-1.1 restriction specifically targets "public multi-tenant **paid** hosting."
+Non-commercial hosting for community benefit may be eligible for the Community Program.
+
+**Examples of potentially eligible scenarios:**
+- Free scanning services for open source projects
+- Academic/educational institutions providing free access to students
+- Non-profit organizations providing free services to other non-profits
+- Community-run instances for local developer communities
+
+**Requirements for Community Program consideration:**
+1. Service must be genuinely free (no fees, subscriptions, or required purchases)
+2. Service must not be a loss-leader for commercial offerings
+3. Service must not compete directly with Licensor's commercial offerings
+4. Organization must apply and be approved by Licensor
+
+**Analysis:**
+- Non-commercial, community benefit: Contact community@stella-ops.org for evaluation
+- If charging any fees: Requires commercial license (not eligible for Community Program)
+- If bundled with paid services: Requires commercial license
+
+**Recommendation:** Apply for Community Program at https://stella-ops.org/community
+
+**Important:** Community Program approval is not automatic. Licensor reserves the right
+to evaluate each application based on community benefit, competitive impact, and
+alignment with program goals.
+
+### 4.4 Reseller/Channel Partner
+
+**Scenario:** Reselling Stella Ops commercial licenses with implementation services.
+
+**Analysis:**
+- Reselling licenses: Requires authorized reseller agreement
+- Implementation services: Permitted under customer's license
+
+**Recommendation:** Contact sales@stella-ops.org for reseller program details.
+
+---
+
+## 5. Compliance Checklist
+
+### For Internal Deployments
+
+- [ ] All users are employees, contractors, or affiliates of the licensee
+- [ ] Deployment is within free tier limits (3 environments, 999 scans/day) OR
+      commercial license obtained
+- [ ] LICENSE and NOTICE files preserved
+- [ ] No third-party access to functionality
+
+### For MSP Deployments
+
+- [ ] Each customer instance is fully isolated
+- [ ] Either MSP or customer holds valid license for each instance
+- [ ] No shared multi-tenant infrastructure
+- [ ] Clear documentation of license responsibility
+- [ ] Annual compliance attestation completed
+
+### For Any Hosted Scenario
+
+- [ ] Not marketed as competing SaaS product
+- [ ] Not white-labeled or rebranded
+- [ ] Not embedded in commercial SaaS offering
+- [ ] Attribution requirements met
+
+---
+
+## 6. Decision Tree
+
+```
+Is Stella Ops functionality being provided to third parties?
+│
+├─ NO → Internal use permitted (within free tier or with commercial license)
+│
+└─ YES → Is it a commercial offering (paid or part of paid service)?
+         │
+         ├─ NO (genuinely free, community benefit)
+         │   │
+         │   ├─ Apply for Community Program (community@stella-ops.org)
+         │   │
+         │   └─ If approved → Permitted under Community Program terms
+         │      If not approved → Commercial license required
+         │
+         └─ YES (paid, or free-as-loss-leader for paid services)
+              │
+              └─ Is each customer fully isolated (single-tenant)?
+                  │
+                  ├─ NO → Commercial SaaS license required
+                  │       (contact sales@stella-ops.org)
+                  │
+                  └─ YES → MSP single-tenant model
+                           │
+                           ├─ MSP holds commercial license covering all instances
+                           │  → Permitted
+                           │
+                           └─ Each customer holds their own license
+                              → Permitted (MSP provides infrastructure only)
+```
+
+**Key distinction:** The restriction targets "public multi-tenant **paid** hosting."
+Non-commercial hosting for genuine community benefit may qualify for the Community Program,
+but requires explicit approval from Licensor.
+
+---
+
+## 7. Examples of Compliance Violations
+
+The following are examples of arrangements that would violate the license:
+
+1. **"Vulnerability Scanning as a Service"** - Public signup for scanning services
+   powered by Stella Ops without commercial license
+
+2. **DevSecOps Platform Bundle** - Including Stella Ops scanning in a paid platform
+   subscription without commercial license
+
+3. **Shared MSP Instance** - Multiple MSP customers sharing a single Stella Ops
+   deployment
+
+4. **"Free Tier Arbitrage"** - Running multiple free-tier installations to serve
+   third-party customers
+
+5. **Competitive Forking** - Forking Stella Ops and offering it as a competing
+   hosted service
+
+---
+
+## 8. Getting Commercial License
+
+If your use case requires a commercial license:
+
+**Contact:**
+- Email: sales@stella-ops.org
+- Website: https://stella-ops.org/pricing
+
+**License options include:**
+- Per-environment licensing
+- Unlimited scan licensing
+- MSP/reseller programs
+- OEM/embedded licensing
+
+**Volume discounts** available for MSPs and enterprise deployments.
+
+---
+
+## See Also
+
+- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
+- `docs/legal/LEGAL_FAQ_QUOTA.md` - Quota and free tier FAQ
+- `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Plugin developer questions
+- `docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md` - Audit and compliance verification
+
+---
+
+*Document maintained by: Legal + Sales Operations*
+*Last review: 2026-01-25*