release orchestrator pivot, architecture and planning

docs/FEATURE_MATRIX.md

@@ -1,30 +1,44 @@
-# 4 · Feature Matrix — **Stella Ops**
-*(rev 4.0 · 24 Dec 2025)*
+# Feature Matrix — Stella Ops Suite
+*(rev 5.0 · 09 Jan 2026)*
 
 > **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
 
 ---
 
-## Pricing Tiers Overview
+## Product Evolution
 
-| Tier | Scans/Day | Registration | Token Refresh | Target User | Price |
-|------|-----------|--------------|---------------|-------------|-------|
-| **Free** | 33 | None | 12h auto | Individual developer | $0 |
-| **Community** | 333 | Required | 30d manual | Startups, small teams (<25) | $0 |
-| **Enterprise** | 2,000+ | SSO/Contract | Annual | Organizations (25+), regulated | Contact Sales |
+**Stella Ops Suite** is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.
 
-**Key Differences:**
-- **Free → Community**: 10× quota, deep analysis, Helm/K8s, email alerts, requires registration
-- **Community → Enterprise**: Scale (HA), multi-team (RBAC scopes), automation (CI/CD), support (SLA)
+- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
+- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
+- **OCI-digest-first releases** — Immutable digest-based release identity
+- **Evidence packets** — Every release decision is cryptographically signed and stored
+
+---
+
+## Pricing Model
+
+**Principle:** Pay for scale, not for features or automation. No per-seat, per-project, or per-deployment taxes.
+
+| Plan | Price | Environments | New Digests/Day | Deployments | Notes |
+|------|-------|--------------|-----------------|-------------|-------|
+| **Free** | $0/month | 3 | 333 | Unlimited (fair use) | Full features |
+| **Pro** | $699/month | 33 | 3,333 | Unlimited (fair use) | Same features |
+| **Enterprise** | $1,999/month | Unlimited | Unlimited | Unlimited | Fair use on mirroring/audit bandwidth |
+
+**Key Principles:**
+- All plans include all features (no feature gating)
+- Limits are environments + new digests analyzed per day
+- Unlimited deployments with fair use policy
 
 ---
 
 ## Competitive Moat Features
 
-*These differentiators are available across all tiers to build brand and adoption.*
+*These differentiators are available across all plans.*
 
-| Capability | Free | Community | Enterprise | Notes |
-|------------|:----:|:---------:|:----------:|-------|
+| Capability | Free | Pro | Enterprise | Notes |
+|------------|:----:|:---:|:----------:|-------|
 | Signed Replayable Risk Verdicts | ✅ | ✅ | ✅ | Core differentiator |
 | Decision Capsules | ✅ | ✅ | ✅ | Audit-grade evidence bundles |
 | VEX Decisioning Engine | ✅ | ✅ | ✅ | Trust lattice + conflict resolution |
@@ -32,6 +46,79 @@
 | Smart-Diff (Semantic Risk Delta) | ✅ | ✅ | ✅ | Material change detection |
 | Unknowns as First-Class State | ✅ | ✅ | ✅ | Uncertainty budgets |
 | Deterministic Replay | ✅ | ✅ | ✅ | `stella replay srm.yaml` |
+| Non-Kubernetes First-Class | ✅ | ✅ | ✅ | Docker/Compose/ECS/Nomad targets |
+| Digest-First Release Identity | ✅ | ✅ | ✅ | Immutable releases |
+
+---
+
+## Release Orchestration (Planned)
+
+*Release orchestration capabilities are planned for implementation. All plans will include all features.*
+
+| Capability | Free | Pro | Enterprise | Notes |
+|------------|:----:|:---:|:----------:|-------|
+| **Environment Management** | | | | |
+| Environment CRUD | ⏳ | ⏳ | ⏳ | Dev/Stage/Prod definitions |
+| Freeze Windows | ⏳ | ⏳ | ⏳ | Calendar-based blocking |
+| Approval Policies | ⏳ | ⏳ | ⏳ | Per-environment rules |
+| **Release Management** | | | | |
+| Component Registry | ⏳ | ⏳ | ⏳ | Service → repository mapping |
+| Release Bundles | ⏳ | ⏳ | ⏳ | Component → digest bundles |
+| Semantic Versioning | ⏳ | ⏳ | ⏳ | SemVer release versions |
+| Tag → Digest Resolution | ⏳ | ⏳ | ⏳ | Immutable digest pinning |
+| **Promotion & Gates** | | | | |
+| Promotion Workflows | ⏳ | ⏳ | ⏳ | Environment transitions |
+| Security Gate | ⏳ | ⏳ | ⏳ | Scan verdict evaluation |
+| Approval Gate | ⏳ | ⏳ | ⏳ | Human sign-off |
+| Freeze Window Gate | ⏳ | ⏳ | ⏳ | Calendar enforcement |
+| Policy Gate (OPA/Rego) | ⏳ | ⏳ | ⏳ | Custom rules |
+| Decision Records | ⏳ | ⏳ | ⏳ | Evidence-linked decisions |
+| **Deployment Execution** | | | | |
+| Docker Host Agent | ⏳ | ⏳ | ⏳ | Direct container deployment |
+| Compose Host Agent | ⏳ | ⏳ | ⏳ | Docker Compose deployment |
+| SSH Agentless | ⏳ | ⏳ | ⏳ | Linux remote execution |
+| WinRM Agentless | ⏳ | ⏳ | ⏳ | Windows remote execution |
+| ECS Agent | ⏳ | ⏳ | ⏳ | AWS ECS deployment |
+| Nomad Agent | ⏳ | ⏳ | ⏳ | HashiCorp Nomad deployment |
+| Rollback | ⏳ | ⏳ | ⏳ | Previous version restore |
+| **Progressive Delivery** | | | | |
+| A/B Releases | ⏳ | ⏳ | ⏳ | Traffic splitting |
+| Canary Deployments | ⏳ | ⏳ | ⏳ | Gradual rollout |
+| Blue-Green | ⏳ | ⏳ | ⏳ | Zero-downtime switch |
+| Traffic Routing Plugins | ⏳ | ⏳ | ⏳ | Nginx/HAProxy/Traefik/ALB |
+| **Workflow Engine** | | | | |
+| DAG Workflow Execution | ⏳ | ⏳ | ⏳ | Directed acyclic graphs |
+| Step Registry | ⏳ | ⏳ | ⏳ | Built-in + custom steps |
+| Workflow Templates | ⏳ | ⏳ | ⏳ | Reusable workflows |
+| Script Steps (Bash/C#) | ⏳ | ⏳ | ⏳ | Custom automation |
+| **Evidence & Audit** | | | | |
+| Evidence Packets | ⏳ | ⏳ | ⏳ | Sealed decision bundles |
+| Version Stickers | ⏳ | ⏳ | ⏳ | On-target deployment records |
+| Audit Export | ⏳ | ⏳ | ⏳ | Compliance reporting |
+| **Integrations** | | | | |
+| GitHub Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
+| GitLab Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
+| Harbor Integration | ⏳ | ⏳ | ⏳ | Registry + scanning |
+| HashiCorp Vault | ⏳ | ⏳ | ⏳ | Secrets management |
+| AWS Secrets Manager | ⏳ | ⏳ | ⏳ | Secrets management |
+| **Plugin System** | | | | |
+| Plugin Manifest | ⏳ | ⏳ | ⏳ | Static declarations |
+| Connector Runtime | ⏳ | ⏳ | ⏳ | Dynamic execution |
+| Step Providers | ⏳ | ⏳ | ⏳ | Custom workflow steps |
+| Agent Types | ⏳ | ⏳ | ⏳ | Custom deployment targets |
+
+---
+
+## Plan Limits
+
+| Limit | Free | Pro | Enterprise |
+|-------|:----:|:---:|:----------:|
+| **Environments** | 3 | 33 | Unlimited |
+| **New Digests/Day** | 333 | 3,333 | Unlimited |
+| **Deployments** | Fair use | Fair use | Fair use |
+| **Targets per Environment** | 10 | 100 | Unlimited |
+| **Agents** | 3 | 33 | Unlimited |
+| **Integrations** | 5 | 50 | Unlimited |
 
 ---