license switch agpl -> busl1, sprints work, new product advisories

docs/legal/LEGAL_FAQ_QUOTA.md

@@ -1,84 +1,68 @@
-# Legal FAQ — Free‑Tier Quota & AGPL Compliance
-
-> **Operational behaviour (limits, counters, delays) is documented in  
-> [`30_QUOTA_ENFORCEMENT_FLOW1.md`](30_QUOTA_ENFORCEMENT_FLOW1.md).**  
-> This page covers only the legal aspects of offering Stella Ops as a
-> service or embedding it into another product while the free‑tier limits are
-> in place.
-
----
-
-## 1 · Does enforcing a quota violate the AGPL?
-
-**No.**  
-AGPL‑3.0 does not forbid implementing usage controls in the program itself.
-Recipients retain the freedoms to run, study, modify and share the software.
-The Stella Ops quota:
-
-* Is enforced **solely at the service layer** (Valkey counters, Redis-compatible) — the source
-  code implementing the quota is published under AGPL‑3.0‑or‑later.
-* Never disables functionality; it introduces *time delays* only after the
-  free allocation is exhausted.
-* Can be bypassed entirely by rebuilding from source and removing the
-  enforcement middleware — the licence explicitly allows such modifications.
-
-Therefore the quota complies with §§ 0 & 2 of the AGPL.
-
----
-
-## 2 · Can I redistribute Stella Ops with the quota removed?
-
-Yes, provided you:
-
-1. **Publish the full corresponding source code** of your modified version  
-   (AGPL § 13 & § 5c), and
-2. Clearly indicate the changes (AGPL § 5a).
-
-You may *retain* or *relax* the limits, or introduce your own tiering, as long
-as the complete modified source is offered to every user of the service.
-
----
-
-## 3 · Embedding in a proprietary appliance
-
-You may ship Stella Ops inside a hardware or virtual appliance **only if** the
-entire combined work is distributed under **AGPL‑3.0‑or‑later** and you supply
-the full source code for both the scanner and your integration glue.
-
-Shipping an AGPL component while keeping the rest closed‑source violates
-§ 13 (*“remote network interaction”*).
-
----
-
-## 4 · SaaS redistribution
-
-Operating a public SaaS that offers Stella Ops scans to third parties triggers
-the **network‑use clause**.  You must:
-
-* Provide the complete, buildable source of **your running version** —
-  including quota patches or UI branding.
-* Present the offer **conspicuously** (e.g. a “Source Code” footer link).
-
-Failure to do so breaches § 13 and can terminate your licence under § 8.
-
----
-
-## 5 · Is e‑mail collection for the JWT legal?
-
-* **Purpose limitation (GDPR Art. 5‑1 b):** address is used only to deliver the
-  JWT or optional release notes.
-* **Data minimisation (Art. 5‑1 c):** no name, IP or marketing preferences are
-  required; a blank e‑mail body suffices.
-* **Storage limitation (Art. 5‑1 e):** addresses are deleted or hashed after
-  ≤ 7 days unless the sender opts into updates.
-
-Hence the token workflow adheres to GDPR principles.
-
----
-
-## 6 · Change‑log
-
-| Version | Date | Notes |
-|---------|------|-------|
-| **2.0** | 2025‑07‑16 | Removed runtime quota details; linked to new authoritative overview. |
-| 1.0 | 2024‑12‑20 | Initial legal FAQ. |
+# Legal FAQ <EFBFBD> Free-Tier Quota & BUSL-1.1 Additional Use Grant
+
+> **Operational behaviour (limits, counters, delays) is documented in**
+> [`30_QUOTA_ENFORCEMENT_FLOW1.md`](30_QUOTA_ENFORCEMENT_FLOW1.md).
+> This page covers only the legal aspects of offering Stella Ops as a
+> service or embedding it into another product while the free-tier limits are
+> in place.
+
+---
+
+## 1 ? Does enforcing a quota violate BUSL-1.1?
+
+**No.**
+BUSL-1.1 permits usage controls and requires production use to remain within the
+Additional Use Grant (3 environments, 999 new hash scans per 24 hours, and no
+SaaS/hosted third-party service). Quota enforcement documents compliance.
+
+The Stella Ops quota:
+
+* Is enforced **solely at the service layer** (Valkey counters, Redis-compatible).
+* Never disables functionality; it introduces *time delays* only after the
+  free allocation is exhausted.
+* Can be bypassed by rebuilding from source, but production use outside the
+  Additional Use Grant requires a commercial license.
+
+## 2 ? Can I redistribute Stella Ops with the quota removed?
+
+Yes, provided you:
+
+1. **Include the LICENSE and NOTICE files** with your distribution, and
+2. **Mark modified files** with prominent change notices.
+
+Recipients are still bound by BUSL-1.1 and the Additional Use Grant; production
+use outside the grant requires a commercial license.
+
+## 3 ? Embedding in a proprietary appliance
+
+You may ship Stella Ops inside a hardware or virtual appliance under BUSL-1.1.
+You must include LICENSE and NOTICE and preserve attribution notices. Production
+use must remain within the Additional Use Grant unless a commercial license is
+obtained. Proprietary integration code does not have to be disclosed.
+
+## 4 ? SaaS redistribution
+
+The BUSL-1.1 Additional Use Grant prohibits providing Stella Ops as a hosted or
+managed service to third parties. SaaS/hosted use requires a commercial license.
+
+## 5 <20> Is e-mail collection for the JWT legal?
+
+* **Purpose limitation (GDPR Art. 5-1 b):** address is used only to deliver the
+  JWT or optional release notes.
+* **Data minimisation (Art. 5-1 c):** no name, IP or marketing preferences are
+  required; a blank e-mail body suffices.
+* **Storage limitation (Art. 5-1 e):** addresses are deleted or hashed after
+  <= 7 days unless the sender opts into updates.
+
+Hence the token workflow adheres to GDPR principles.
+
+---
+
+## 6 <20> Change-log
+
+| Version | Date | Notes |
+|---------|------|-------|
+| **3.0** | 2026-01-20 | Updated for BUSL-1.1 Additional Use Grant. |
+| **2.1** | 2026-01-20 | Updated for Apache-2.0 licensing (superseded by BUSL-1.1 in v3.0). |
+| **2.0** | 2025-07-16 | Removed runtime quota details; linked to new authoritative overview. |
+| 1.0 | 2024-12-20 | Initial legal FAQ. |