license switch agpl -> busl1, sprints work, new product advisories

docs/benchmarks/scanner-feature-comparison-trivy.md

@@ -6,7 +6,7 @@ _Reference snapshot: Trivy commit `012f3d75359e019df1eb2602460146d43cb59715`, cl
 
 | Field | Value |
 |-------|-------|
-| **Last Updated** | 2025-12-15 |
+| **Last Updated** | 2026-01-20 |
 | **Last Verified** | 2025-12-14 |
 | **Next Review** | 2026-03-14 |
 | **Claims Index** | [`docs/product/claims-citation-index.md`](../../docs/product/claims-citation-index.md) |
@@ -39,7 +39,7 @@ _Reference snapshot: Trivy commit `012f3d75359e019df1eb2602460146d43cb59715`, cl
 | Security & tenancy | Authority-scoped OpToks (DPoP/mTLS), tenant-aware storage prefixes, secret providers, validation pipeline preventing misconfiguration, DSSE signing for tamper evidence.[1](#sources)[3](#sources)[5](#sources)[6](#sources) | CLI/server intended for single-tenant use; docs emphasise network hardening but do not describe built-in tenant isolation or authenticated server endpoints—deployments rely on surrounding controls.[8](#sources)[15](#sources) |
 | Extensibility & ecosystem | Analyzer plug-ins (restart-time), Surface shared libraries, BuildX SBOM generator, CLI orchestration, integration contracts with Scheduler, Export Center, Policy, Notify.[1](#sources)[2](#sources) | CLI plugin framework (`trivy plugin`), rich ecosystem integrations (GitHub Actions, Kubernetes operator, IDE plugins), community plugin index for custom commands.[8](#sources)[16](#sources) |
 | Observability & ops | Structured logs, metrics for queue/cache/validation, policy preview traces, runbooks and offline manifest documentation embedded in module docs.[1](#sources)[4](#sources)[6](#sources) | CLI-/server-level logging; documentation focuses on usage rather than metrics/trace emission—operators layer external tooling as needed.[8](#sources) |
-| Licensing | AGPL-3.0-or-later with sovereign/offline obligations (per project charter).[StellaOps LICENSE](../../LICENSE) | Apache-2.0; permissive for redistribution and derivative tooling.[17](#sources) |
+| Licensing | BUSL-1.1 with Additional Use Grant (3 env / 999 new hash scans/day; no SaaS).[StellaOps LICENSE](../../LICENSE) | Apache-2.0; permissive for redistribution and derivative tooling.[17](#sources) |
 
 ## Coverage Deep Dive
 

docs/benchmarks/scanner/deep-dives/windows.md

@@ -41,7 +41,7 @@ In-depth design detail lives in `../../modules/scanner/design/windows-analyzer.m
 ## Open design questions
 | Topic | Question | Owner |
 | --- | --- | --- |
-| MSI parsing library | Build custom reader or embed open-source MSI parser? Must be AGPL-compatible and offline-ready. | Scanner Guild |
+| MSI parsing library | Build custom reader or embed open-source MSI parser? Must be BUSL-1.1-compatible and offline-ready. | Scanner Guild |
 | Driver risk classification | Should Policy Engine treat kernel-mode drivers differently by default? | Policy Guild |
 | Authenticodes & catalogs | Where do we verify signature/certificate revocation (scanner vs policy)? | Security Guild |
 | Registry access | Will scanner access registry hives directly or require pre-extracted exports? | Scanner + Ops Guild |