# 4 · Feature Matrix — **Stella Ops**
*(rev 4.0 · 24 Dec 2025)*

> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.

---

## Pricing Tiers Overview

| Tier | Scans/Day | Registration | Token Refresh | Target User | Price |
|------|-----------|--------------|---------------|-------------|-------|
| **Free** | 33 | None | 12h auto | Individual developer | $0 |
| **Community** | 333 | Required | 30d manual | Startups, small teams (<25) | $0 |
| **Enterprise** | 2,000+ | SSO/Contract | Annual | Organizations (25+), regulated | Contact Sales |

**Key Differences:**
- **Free → Community**: Same features, 10× quota, requires registration
- **Community → Enterprise**: Compliance, scale, multi-team, support

---

## Competitive Moat Features

*These differentiators are available across all tiers to build brand and adoption.*

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Signed Replayable Risk Verdicts | ✅ | ✅ | ✅ | Core differentiator |
| Decision Capsules | ✅ | ✅ | ✅ | Audit-grade evidence bundles |
| VEX Decisioning Engine | ✅ | ✅ | ✅ | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | ✅ | ✅ | ✅ | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | ✅ | ✅ | ✅ | Material change detection |
| Unknowns as First-Class State | ✅ | ✅ | ✅ | Uncertainty budgets |
| Deterministic Replay | ✅ | ✅ | ✅ | `stella replay srm.yaml` |

---

## SBOM & Ingestion

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | ✅ | ✅ | ✅ | |
| SPDX-JSON 3.0.1 Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX 1.6/1.7 Ingestion | ✅ | ✅ | ✅ | |
| Auto-format Detection | ✅ | ✅ | ✅ | |
| Delta-SBOM Cache | ✅ | ✅ | ✅ | Warm scans <1s |
| SBOM Generation (all formats) | ✅ | ✅ | ✅ | |
| Semantic SBOM Diff | ✅ | ✅ | ✅ | |
| BYOS (Bring-Your-Own-SBOM) | ✅ | ✅ | ✅ | |
| **SBOM Lineage Ledger** | — | — | ✅ | Full versioned history |
| **SBOM Lineage API** | — | — | ✅ | Traversal queries |

---

## Scanning & Detection

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | ✅ | ✅ | ✅ | |
| Licence-Risk Detection | ⏳ | ⏳ | ⏳ | Q4-2025 |
| **Language Analyzers (All 8)** | | | | |
| — .NET/C#, Java, Go, Python | ✅ | ✅ | ✅ | |
| — Node.js, Ruby, Bun, Native | ✅ | ✅ | ✅ | |
| **Progressive Fidelity Modes** | | | | |
| — Quick Mode | ✅ | ✅ | ✅ | |
| — Standard Mode | ✅ | ✅ | ✅ | |
| — Deep Mode | — | ✅ | ✅ | Full analysis |
| Base Image Detection | ✅ | ✅ | ✅ | |
| Layer-Aware Analysis | ✅ | ✅ | ✅ | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |

---

## Reachability Analysis

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | ✅ | ✅ | ✅ | |
| Entrypoint Detection | ✅ | ✅ | ✅ | 9+ framework types |
| BFS Reachability | ✅ | ✅ | ✅ | |
| Reachability Drift Detection | ✅ | ✅ | ✅ | |
| Binary Loader Resolution | — | ✅ | ✅ | ELF/PE/Mach-O |
| Feature Flag/Config Gating | — | ✅ | ✅ | Layer 3 analysis |
| Runtime Signal Correlation | — | — | ✅ | Zastava integration |
| Gate Detection (auth/admin) | — | — | ✅ | Enterprise policies |
| Path Witness Generation | — | — | ✅ | Audit evidence |
| Reachability Mini-Map API | — | — | ✅ | UI visualization |
| Runtime Timeline API | — | — | ✅ | Temporal analysis |

---

## Binary Analysis (BinaryIndex)

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | ✅ | ✅ | ✅ | Build-ID, hashes |
| Build-ID Vulnerability Lookup | ✅ | ✅ | ✅ | |
| Debian/Ubuntu Corpus | ✅ | ✅ | ✅ | |
| RPM/RHEL Corpus | — | ✅ | ✅ | |
| Patch-Aware Backport Detection | — | ✅ | ✅ | |
| PE/Mach-O/ELF Parsers | — | ✅ | ✅ | |
| **Binary Fingerprint Generation** | — | — | ✅ | Advanced detection |
| **Fingerprint Matching Engine** | — | — | ✅ | Similarity search |
| **DWARF/Symbol Analysis** | — | — | ✅ | Debug symbols |

---

## Advisory Sources (Concelier)

| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | ✅ | ✅ | ✅ | |
| GHSA | ✅ | ✅ | ✅ | |
| OSV | ✅ | ✅ | ✅ | |
| Alpine SecDB | ✅ | ✅ | ✅ | |
| Debian Security Tracker | ✅ | ✅ | ✅ | |
| Ubuntu USN | ✅ | ✅ | ✅ | |
| RHEL/CentOS OVAL | — | ✅ | ✅ | |
| KEV (Exploited Vulns) | ✅ | ✅ | ✅ | |
| EPSS v4 | ✅ | ✅ | ✅ | |
| **Custom Advisory Connectors** | — | — | ✅ | Private feeds |
| **Advisory Merge Engine** | — | — | ✅ | Conflict resolution |

---

## VEX Processing (Excititor)

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX VEX Ingestion | ✅ | ✅ | ✅ | |
| CSAF VEX Ingestion | — | ✅ | ✅ | |
| VEX Consensus Resolver | ✅ | ✅ | ✅ | |
| Trust Vector Scoring (P/C/R) | ✅ | ✅ | ✅ | |
| Claim Strength Multipliers | ✅ | ✅ | ✅ | |
| Freshness Decay | ✅ | ✅ | ✅ | |
| **Conflict Detection & Penalty** | — | — | ✅ | K4 lattice logic |
| **VEX Conflict Studio UI** | — | — | ✅ | Visual resolution |
| **Trust Calibration Service** | — | — | ✅ | Org-specific tuning |
| **VEX Hub (Distribution)** | — | — | ✅ | Internal VEX network |

---

## Policy Engine

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | ✅ | ✅ | ✅ | Basic rules |
| Belnap K4 Four-Valued Logic | ✅ | ✅ | ✅ | |
| Security Atoms (6 types) | ✅ | ✅ | ✅ | |
| Disposition Selection (ECMA-424) | ✅ | ✅ | ✅ | |
| Minimum Confidence Gate | ✅ | ✅ | ✅ | |
| Unknowns Budget Gate | — | ✅ | ✅ | |
| Source Quota Gate | — | — | ✅ | 60% cap enforcement |
| Reachability Requirement Gate | — | — | ✅ | For criticals |
| **OPA/Rego Integration** | — | — | ✅ | Custom policies |
| **Exception Objects & Workflow** | — | — | ✅ | Approval chains |
| **Score Policy YAML** | — | — | ✅ | Full customization |
| **Configurable Scoring Profiles** | — | — | ✅ | Simple/Advanced |
| **Policy Version History** | — | — | ✅ | Audit trail |

---

## Attestation & Signing

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | ✅ | ✅ | ✅ | |
| in-toto Statement Structure | ✅ | ✅ | ✅ | |
| SBOM Predicate | ✅ | ✅ | ✅ | |
| VEX Predicate | ✅ | ✅ | ✅ | |
| Reachability Predicate | — | ✅ | ✅ | |
| Policy Decision Predicate | — | ✅ | ✅ | |
| Verdict Manifest (signed) | — | ✅ | ✅ | |
| Verdict Replay Verification | — | ✅ | ✅ | |
| **Human Approval Predicate** | — | — | ✅ | Workflow attestation |
| **Boundary Predicate** | — | — | ✅ | Network exposure |
| **Key Rotation Management** | — | — | ✅ | Enterprise key ops |
| **SLSA Provenance v1.0** | — | — | ✅ | Supply chain |
| **Rekor Transparency Log** | — | — | ✅ | Public attestation |
| **Cosign Integration** | — | — | ✅ | Sigstore ecosystem |

---

## Regional Crypto (Sovereign Profiles)

*Compliance features for regulated industries.*

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | ✅ | ✅ | ✅ | |
| **FIPS 140-2/3 Mode** | — | — | ✅ | US Federal |
| **eIDAS Signatures** | — | — | ✅ | EU Compliance |
| **GOST/CryptoPro** | — | — | ✅ | Russia |
| **SM National Standard** | — | — | ✅ | China |
| **Post-Quantum (Dilithium)** | — | — | ✅ | Future-proof |
| **Crypto Plugin Architecture** | — | — | ✅ | Custom HSM |

---

## Determinism & Reproducibility

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | ✅ | ✅ | ✅ | |
| Content-Addressed IDs | ✅ | ✅ | ✅ | SHA-256 |
| Replay Manifest (SRM) | ✅ | ✅ | ✅ | |
| `stella replay` CLI | ✅ | ✅ | ✅ | |
| Score Explanation Arrays | ✅ | ✅ | ✅ | |
| Evidence Freshness Multipliers | — | ✅ | ✅ | |
| Proof Coverage Metrics | — | ✅ | ✅ | |
| **Fidelity Metrics (BF/SF/PF)** | — | — | ✅ | Audit dashboards |
| **FN-Drift Rate Tracking** | — | — | ✅ | Quality monitoring |
| **Determinism Gate CI** | — | — | ✅ | Automated checks |

---

## Scoring & Risk Assessment

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | ✅ | ✅ | ✅ | |
| EPSS v4 Probability | ✅ | ✅ | ✅ | |
| Priority Band Classification | ✅ | ✅ | ✅ | |
| EPSS-at-Scan Immutability | — | ✅ | ✅ | |
| Unified Confidence Model | — | ✅ | ✅ | 5-factor |
| **Entropy-Based Scoring** | — | — | ✅ | Advanced |
| **Gate Multipliers** | — | — | ✅ | Reachability-aware |
| **Unknowns Pressure Factor** | — | — | ✅ | Risk budgets |
| **Custom Scoring Profiles** | — | — | ✅ | Org-specific |

---

## Evidence & Findings

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | ✅ | ✅ | ✅ | |
| Evidence Graph View | ✅ | ✅ | ✅ | Basic |
| Decision Capsules | ✅ | ✅ | ✅ | |
| **Findings Ledger (Immutable)** | — | — | ✅ | Audit trail |
| **Evidence Locker (Sealed)** | — | — | ✅ | Export/import |
| **Evidence TTL Policies** | — | — | ✅ | Retention rules |
| **Evidence Size Budgets** | — | — | ✅ | Storage governance |
| **Retention Tiers** | — | — | ✅ | Hot/Warm/Cold |
| **Privacy Controls** | — | — | ✅ | Redaction |
| **Audit Pack Export** | — | — | ✅ | Compliance bundles |

---

## CLI Capabilities

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | ✅ | ✅ | ✅ | |
| SBOM Inspect & Diff | ✅ | ✅ | ✅ | |
| Deterministic Replay | ✅ | ✅ | ✅ | |
| Attestation Verify | — | ✅ | ✅ | |
| Unknowns Budget Check | — | ✅ | ✅ | |
| Evidence Export | — | ✅ | ✅ | |
| **Audit Pack Operations** | — | — | ✅ | Full workflow |
| **Binary Match Inspection** | — | — | ✅ | Advanced |
| **Crypto Plugin Commands** | — | — | ✅ | Regional crypto |
| **Admin Utilities** | — | — | ✅ | Ops tooling |

---

## Web UI Capabilities

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | ✅ | ✅ | ✅ | |
| Findings Row Component | ✅ | ✅ | ✅ | |
| Evidence Drawer | ✅ | ✅ | ✅ | |
| Proof Tab | ✅ | ✅ | ✅ | |
| Confidence Meter | ✅ | ✅ | ✅ | |
| Locale Support | — | ✅ | ✅ | Cyrillic, etc. |
| Reproduce Verdict Button | — | ✅ | ✅ | |
| **Audit Trail UI** | — | — | ✅ | Full history |
| **Trust Algebra Panel** | — | — | ✅ | P/C/R visualization |
| **Claim Comparison Table** | — | — | ✅ | Conflict view |
| **Policy Chips Display** | — | — | ✅ | Gate status |
| **Reachability Mini-Map** | — | — | ✅ | Path visualization |
| **Runtime Timeline** | — | — | ✅ | Temporal view |
| **Operator/Auditor Toggle** | — | — | ✅ | Role separation |
| **Knowledge Snapshot UI** | — | — | ✅ | Air-gap prep |
| **Keyboard Shortcuts** | — | — | ✅ | Power users |

---

## Quota & Operations

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | ✅ | ✅ | ✅ | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | ✅ | ✅ | ✅ | |
| 429 Backpressure | ✅ | ✅ | ✅ | |
| Retry-After Headers | ✅ | ✅ | ✅ | |
| **Priority Queue** | — | — | ✅ | Guaranteed capacity |
| **Burst Allowance** | — | — | ✅ | 3× daily for 1hr |
| **Custom Quotas** | — | — | ✅ | Per contract |

---

## Offline & Air-Gap

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | — | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | — | ✅ | ✅ | |
| One-Command Replay | — | ✅ | ✅ | |
| **Sealed Knowledge Snapshots** | — | — | ✅ | Full feed export |
| **Air-Gap Bundle Manifest** | — | — | ✅ | Transfer packages |
| **No-Egress Enforcement** | — | — | ✅ | Strict isolation |
| **Offline JWT (90d)** | — | — | ✅ | Extended tokens |

---

## Deployment

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | ✅ | ✅ | ✅ | Single-node |
| Helm Chart (K8s) | — | ✅ | ✅ | |
| PostgreSQL 16+ | ✅ | ✅ | ✅ | |
| Valkey 8.0+ | ✅ | ✅ | ✅ | |
| RustFS (S3) | — | ✅ | ✅ | |
| **High-Availability** | — | — | ✅ | Multi-replica |
| **Horizontal Scaling** | — | — | ✅ | Auto-scale |
| **Dedicated Capacity** | — | — | ✅ | Reserved resources |

---

## Access Control & Identity

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | ✅ | ✅ | ✅ | |
| API Keys | ✅ | ✅ | ✅ | |
| **SSO/SAML Integration** | — | — | ✅ | Okta, Azure AD |
| **OIDC Support** | — | — | ✅ | |
| **Advanced RBAC** | — | — | ✅ | Team-based |
| **Multi-Tenant Management** | — | — | ✅ | Org hierarchy |
| **Audit Log Export** | — | — | ✅ | SIEM integration |

---

## Notifications & Integrations

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | — | ✅ | ✅ | |
| In-App Notifications | ✅ | ✅ | ✅ | |
| EPSS Change Alerts | — | ✅ | ✅ | |
| **Slack Integration** | — | — | ✅ | Enterprise Grid |
| **Teams Integration** | — | — | ✅ | Enterprise |
| **Custom Webhooks** | — | — | ✅ | Any endpoint |
| **CI/CD Gates** | — | — | ✅ | GitLab/GitHub/Jenkins |
| **Zastava Registry Hooks** | — | — | ✅ | Auto-scan on push |

---

## Scheduling & Automation

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | ✅ | ✅ | ✅ | |
| **Scheduled Scans** | — | — | ✅ | Cron-based |
| **Task Pack Orchestration** | — | — | ✅ | Declarative workflows |
| **EPSS Daily Refresh** | — | — | ✅ | Auto-update |
| **Event-Driven Scanning** | — | — | ✅ | On registry push |

---

## Observability & Telemetry

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | ✅ | ✅ | ✅ | |
| Opt-In Telemetry | ✅ | ✅ | ✅ | |
| **OpenTelemetry Traces** | — | — | ✅ | Full tracing |
| **Prometheus Export** | — | — | ✅ | Custom dashboards |
| **Quality KPIs Dashboard** | — | — | ✅ | Triage metrics |
| **SLA Monitoring** | — | — | ✅ | Uptime tracking |

---

## Support & Services

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | ✅ | ✅ | ✅ | |
| Community Forums | ✅ | ✅ | ✅ | |
| GitHub Issues | ✅ | ✅ | ✅ | |
| **Email Support** | — | — | ✅ | Business hours |
| **Priority Support** | — | — | ✅ | 4hr response |
| **24/7 Critical Support** | — | — | ✅ | Add-on |
| **Dedicated CSM** | — | — | ✅ | Named contact |
| **Professional Services** | — | — | ✅ | Implementation |
| **Training & Certification** | — | — | ✅ | Team enablement |
| **SLA Guarantee** | — | — | ✅ | 99.9% uptime |

---

## Version Comparison

| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | ✅ | ✅ | ✅ | |
| Debian (EVR) | ✅ | ✅ | ✅ | |
| Alpine (APK) | ✅ | ✅ | ✅ | |
| SemVer | ✅ | ✅ | ✅ | |
| PURL Resolution | ✅ | ✅ | ✅ | |

---

## Summary by Tier

### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation

- All language analyzers
- Basic scanning and SBOM generation
- Core determinism features
- Basic VEX and policy
- Docker Compose deployment
- Community support

### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects

Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis basics
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications
- Monthly OUK access

**Registration required, 30-day token renewal**

### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, regulated industries, compliance-driven

Everything in Community, plus:
- **Compliance**: Regional crypto (FIPS/eIDAS/GOST/SM), SLSA, Rekor
- **Scale**: HA, horizontal scaling, priority queue
- **Access**: SSO/SAML, advanced RBAC, multi-tenant
- **Advanced**: Binary fingerprints, trust calibration, custom policies
- **Air-Gap**: Sealed snapshots, extended offline tokens
- **Integration**: Enterprise Slack/Teams, CI/CD gates, webhooks
- **Support**: SLA, priority support, dedicated CSM

---

## Statistics Summary

| Metric | Value |
|--------|-------|
| **Total Features** | 150+ |
| **Free Tier Features** | ~45 |
| **Community Tier Features** | ~85 |
| **Enterprise Tier Features** | 150+ |
| **Language Analyzers** | 8 (all tiers) |
| **Advisory Sources** | 9 (Free), 10 (Community), 11+ (Enterprise) |
| **Crypto Profiles** | 1 (Free/Community), 6 (Enterprise) |

---

> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned

---

*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*