# 4 · Feature Matrix — **Stella Ops**  
*(rev 2.0 · 14 Jul 2025)*

| Category               | Capability                            | Free Tier (≤ 333 scans / day) | Community Plug‑in | Commercial Add‑On   | Notes / ETA                                |
| ---------------------- | ------------------------------------- | ----------------------------- | ----------------- | ------------------- | ------------------------------------------ |
| **SBOM Ingestion**     | Trivy‑JSON, SPDX‑JSON, CycloneDX‑JSON | ✅                             | —                 | —                   | Auto‑detect on upload                      |
|                        | **Delta‑SBOM Cache**                  | ✅                             | —                 | —                   | Warm scans < 1 s                           |
| **Scanning**           | CVE lookup via local DB               | ✅                             | —                 | —                   | Update job ships weekly feeds              |
|                        | Licence‑risk detection                | ⏳ (roadmap Q4‑2025)           | —                 | —                   | SPDX licence list                          |
| **Policy Engine**      | YAML rules                            | ✅                             | —                 | —                   | In‑UI editor                               |
|                        | OPA / Rego                            | ⏳ (β Q1‑2026)                 | ✅ plug‑in         | —                   | Plug‑in enables Rego                       |
| **Registry**           | Anonymous internal registry           | ✅                             | —                 | —                   | `StellaOps.Registry` image                 |
| **Attestation**        | Cosign signing                        | ⏳ (Q1‑2026)                   | —                 | —                   | Requires `StellaOpsAttestor`               |
|                        | SLSA provenance v1.0                  | —                             | —                 | ⏳ (commercial 2026) | Enterprise need                            |
|                        | Rekor transparency log                | —                             | ✅ plug‑in         | —                   | Air‑gap replica support                    |
| **Quota & Throttling** | 333 scans/day soft limit              | ✅                             | —                 | —                   | Yellow banner at 200, wait‑wall post‑limit |
|                        | Usage API (`/quota`)                  | ✅                             | —                 | —                   | CI can poll remaining scans                |
| **User Interface**     | Dark / light mode                     | ✅                             | —                 | —                   | Auto‑detect OS theme                       |
|                        | Russian localisation                  | ✅                             | —                 | —                   | Default if `Accept‑Language: ru`           |
|                        | Audit trail                           | ✅                             | —                 | —                   | Mongo history                              |
| **Deployment**         | Docker Compose bundle                 | ✅                             | —                 | —                   | Single‑node                                |
|                        | Helm chart (K8s)                      | ✅                             | —                 | —                   | Horizontal scaling                         |
|                        | High‑availability split services      | —                             | —                 | ✅ (Add‑On)          | HA Redis & Mongo                           |
| **Extensibility**      | .NET hot‑load plug‑ins                | ✅                             | N/A               | —                   | AGPL reference SDK                         |
|                        | Community plug‑in marketplace         | —                             | ⏳ (β Q2‑2026)     | —                   | Moderated listings                         |
| **Telemetry**          | Opt‑in anonymous metrics              | ✅                             | —                 | —                   | Required for quota satisfaction KPI        |
| **Quota & Tokens** | **Client‑JWT issuance** | ✅ (online 12 h token) | — | — | `/connect/token` |
| | **Offline Client‑JWT (30 d)** | ✅ via OUK | — | — | Refreshed monthly in OUK |

> **Legend:** ✅ = Included ⏳ = Planned — = Not applicable  
> Rows marked “Commercial Add‑On” are optional paid components shipping outside the AGPL‑core; everything else is FOSS.

---
*Last updated: 14 Jul 2025 (quota rev 2.0).*