# Feature Matrix — Stella Ops Suite
*(rev 5.1 · 16 Jan 2026)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
---
## Product Evolution
**Stella Ops Suite** is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.
- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
- **OCI-digest-first releases** — Immutable digest-based release identity
- **Evidence packets** — Every release decision is cryptographically signed and stored
---
## Pricing Model
**Principle:** Pay for scale, not for features or automation. No per-seat, per-project, or per-deployment taxes.
| Plan | Price | Environments | New Digests/Day | Deployments | Notes |
|------|-------|--------------|-----------------|-------------|-------|
| **Free** | $0/month | 3 | 333 | Unlimited (fair use) | Full features |
| **Pro** | $699/month | 33 | 3,333 | Unlimited (fair use) | Same features |
| **Enterprise** | $1,999/month | Unlimited | Unlimited | Unlimited | Fair use on mirroring/audit bandwidth |
**Key Principles:**
- All plans include all features (no feature gating)
- Limits are environments + new digests analyzed per day
- Unlimited deployments with fair use policy
---
## Competitive Moat Features
*These differentiators are available across all plans.*
| Capability | Free | Pro | Enterprise | Notes |
|------------|:----:|:---:|:----------:|-------|
| Signed Replayable Risk Verdicts | ✅ | ✅ | ✅ | Core differentiator |
| Decision Capsules | ✅ | ✅ | ✅ | Audit-grade evidence bundles |
| VEX Decisioning Engine | ✅ | ✅ | ✅ | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | ✅ | ✅ | ✅ | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | ✅ | ✅ | ✅ | Material change detection |
| Unknowns as First-Class State | ✅ | ✅ | ✅ | Uncertainty budgets |
| Deterministic Replay | ✅ | ✅ | ✅ | `stella replay srm.yaml` |
| Non-Kubernetes First-Class | ✅ | ✅ | ✅ | Docker/Compose/ECS/Nomad targets |
| Digest-First Release Identity | ✅ | ✅ | ✅ | Immutable releases |
---
## Release Orchestration (Planned)
*Release orchestration capabilities are planned for implementation. All plans will include all features.*
| Capability | Free | Pro | Enterprise | Notes |
|------------|:----:|:---:|:----------:|-------|
| **Environment Management** | | | | |
| Environment CRUD | ⏳ | ⏳ | ⏳ | Dev/Stage/Prod definitions |
| Freeze Windows | ⏳ | ⏳ | ⏳ | Calendar-based blocking |
| Approval Policies | ⏳ | ⏳ | ⏳ | Per-environment rules |
| **Release Management** | | | | |
| Component Registry | ⏳ | ⏳ | ⏳ | Service → repository mapping |
| Release Bundles | ⏳ | ⏳ | ⏳ | Component → digest bundles |
| Semantic Versioning | ⏳ | ⏳ | ⏳ | SemVer release versions |
| Tag → Digest Resolution | ⏳ | ⏳ | ⏳ | Immutable digest pinning |
| **Promotion & Gates** | | | | |
| Promotion Workflows | ⏳ | ⏳ | ⏳ | Environment transitions |
| Security Gate | ⏳ | ⏳ | ⏳ | Scan verdict evaluation |
| Approval Gate | ⏳ | ⏳ | ⏳ | Human sign-off |
| Freeze Window Gate | ⏳ | ⏳ | ⏳ | Calendar enforcement |
| Policy Gate (OPA/Rego) | ⏳ | ⏳ | ⏳ | Custom rules |
| Decision Records | ⏳ | ⏳ | ⏳ | Evidence-linked decisions |
| **Deployment Execution** | | | | |
| Docker Host Agent | ⏳ | ⏳ | ⏳ | Direct container deployment |
| Compose Host Agent | ⏳ | ⏳ | ⏳ | Docker Compose deployment |
| SSH Agentless | ⏳ | ⏳ | ⏳ | Linux remote execution |
| WinRM Agentless | ⏳ | ⏳ | ⏳ | Windows remote execution |
| ECS Agent | ⏳ | ⏳ | ⏳ | AWS ECS deployment |
| Nomad Agent | ⏳ | ⏳ | ⏳ | HashiCorp Nomad deployment |
| Rollback | ⏳ | ⏳ | ⏳ | Previous version restore |
| **Progressive Delivery** | | | | |
| A/B Releases | ⏳ | ⏳ | ⏳ | Traffic splitting |
| Canary Deployments | ⏳ | ⏳ | ⏳ | Gradual rollout |
| Blue-Green | ⏳ | ⏳ | ⏳ | Zero-downtime switch |
| Traffic Routing Plugins | ⏳ | ⏳ | ⏳ | Nginx/HAProxy/Traefik/ALB |
| **Workflow Engine** | | | | |
| DAG Workflow Execution | ⏳ | ⏳ | ⏳ | Directed acyclic graphs |
| Step Registry | ⏳ | ⏳ | ⏳ | Built-in + custom steps |
| Workflow Templates | ⏳ | ⏳ | ⏳ | Reusable workflows |
| Script Steps (Bash/C#) | ⏳ | ⏳ | ⏳ | Custom automation |
| **Evidence & Audit** | | | | |
| Evidence Packets | ⏳ | ⏳ | ⏳ | Sealed decision bundles |
| Version Stickers | ⏳ | ⏳ | ⏳ | On-target deployment records |
| Audit Export | ⏳ | ⏳ | ⏳ | Compliance reporting |
| **Integrations** | | | | |
| GitHub Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| GitLab Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| Harbor Integration | ⏳ | ⏳ | ⏳ | Registry + scanning |
| HashiCorp Vault | ⏳ | ⏳ | ⏳ | Secrets management |
| AWS Secrets Manager | ⏳ | ⏳ | ⏳ | Secrets management |
| **Plugin System** | | | | |
| Plugin Manifest | ⏳ | ⏳ | ⏳ | Static declarations |
| Connector Runtime | ⏳ | ⏳ | ⏳ | Dynamic execution |
| Step Providers | ⏳ | ⏳ | ⏳ | Custom workflow steps |
| Agent Types | ⏳ | ⏳ | ⏳ | Custom deployment targets |
---
## Plan Limits
| Limit | Free | Pro | Enterprise |
|-------|:----:|:---:|:----------:|
| **Environments** | 3 | 33 | Unlimited |
| **New Digests/Day** | 333 | 3,333 | Unlimited |
| **Deployments** | Fair use | Fair use | Fair use |
| **Targets per Environment** | 10 | 100 | Unlimited |
| **Agents** | 3 | 33 | Unlimited |
| **Integrations** | 5 | 50 | Unlimited |
---
## SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | ✅ | ✅ | ✅ | |
| SPDX-JSON 3.0.1 Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX 1.7 Ingestion (1.6 backward compatible) | ✅ | ✅ | ✅ | |
| Auto-format Detection | ✅ | ✅ | ✅ | |
| Delta-SBOM Cache | ✅ | ✅ | ✅ | Warm scans <1s |
| SBOM Generation (all formats) | ✅ | ✅ | ✅ | |
| Semantic SBOM Diff | ✅ | ✅ | ✅ | |
| BYOS (Bring-Your-Own-SBOM) | ✅ | ✅ | ✅ | |
| **SBOM Lineage Ledger** | — | — | ✅ | Full versioned history |
| **SBOM Lineage API** | — | — | ✅ | Traversal queries |
---
## Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | ✅ | ✅ | ✅ | |
| Licence-Risk Detection | ⏳ | ⏳ | ⏳ | Q4-2025 |
| **Automatic Detection (Class A)** | | | | Runs implicitly during scan |
| — Secrets Detection | ✅ | ✅ | ✅ | API keys, tokens, passwords; results in findings (see [docs/modules/ui/components/findings-list.md](docs/modules/ui/components/findings-list.md)) |
| — OS Package Analyzers | ✅ | ✅ | ✅ | apk, apt, yum, dnf, rpm, pacman; results in SBOM (see [docs/modules/cli/guides/commands/sbom.md](docs/modules/cli/guides/commands/sbom.md)) |
| **Language Analyzers (All 11)** | | | | |
| — .NET/C#, Java, Go, Python | ✅ | ✅ | ✅ | |
| — Node.js, Ruby, Bun, Deno | ✅ | ✅ | ✅ | |
| — PHP, Rust, Native binaries | ✅ | ✅ | ✅ | |
| **Progressive Fidelity Modes** | | | | |
| — Quick Mode | ✅ | ✅ | ✅ | |
| — Standard Mode | ✅ | ✅ | ✅ | |
| — Deep Mode | — | ✅ | ✅ | Full analysis |
| Base Image Detection | ✅ | ✅ | ✅ | |
| Layer-Aware Analysis | ✅ | ✅ | ✅ | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |
---
## Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | ✅ | ✅ | ✅ | |
| Entrypoint Detection | ✅ | ✅ | ✅ | 9+ framework types |
| BFS Reachability | ✅ | ✅ | ✅ | |
| Reachability Drift Detection | ✅ | ✅ | ✅ | |
| Binary Loader Resolution | — | ✅ | ✅ | ELF/PE/Mach-O |
| Feature Flag/Config Gating | — | ✅ | ✅ | Layer 3 analysis |
| Runtime Signal Correlation | — | — | ✅ | Zastava integration |
| Gate Detection (auth/admin) | — | — | ✅ | Enterprise policies |
| Path Witness Generation | — | — | ✅ | Audit evidence |
| Reachability Mini-Map API | — | — | ✅ | UI visualization |
| Runtime Timeline API | — | — | ✅ | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
*Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | ✅ | ✅ | ✅ | Build-ID, hashes |
| Build-ID Vulnerability Lookup | ✅ | ✅ | ✅ | |
| Debian/Ubuntu Corpus | ✅ | ✅ | ✅ | |
| RPM/RHEL Corpus | — | ✅ | ✅ | |
| Patch-Aware Backport Detection | — | ✅ | ✅ | |
| PE/Mach-O/ELF Parsers | — | ✅ | ✅ | |
| **Binary Fingerprint Generation** | — | — | ✅ | CLI: `stella binary fingerprint export` |
| **Fingerprint Matching Engine** | — | — | ✅ | Similarity search |
| **Binary Diff** | — | — | ✅ | CLI: `stella binary diff ` |
| **DWARF/Symbol Analysis** | — | — | ✅ | Debug symbols |
**CLI Commands (Class B):**
- `stella binary fingerprint export ` — Export fingerprint data (function hashes, section hashes, symbol table)
- `stella binary diff ` — Compare binaries with function/symbol-level diff
- Output formats: `--format json|yaml|table`
- Usage and examples: [docs/modules/cli/guides/commands/binary.md](docs/modules/cli/guides/commands/binary.md)
---
## Advisory Sources (Concelier)
*Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.*
| Source Category | Connectors | Free | Community | Enterprise | Notes |
|-----------------|-----------|:----:|:---------:|:----------:|-------|
| **National CVE Databases** | | | | | |
| — NVD (NIST) | ✅ | ✅ | ✅ | ✅ | Primary CVE source |
| — CVE (MITRE) | ✅ | ✅ | ✅ | ✅ | CVE Record format 5.0 |
| **OSS Ecosystems** | | | | | |
| — OSV | ✅ | ✅ | ✅ | ✅ | Multi-ecosystem |
| — GHSA | ✅ | ✅ | ✅ | ✅ | GitHub Security Advisories |
| **Linux Distributions** | | | | | |
| — Alpine SecDB | ✅ | ✅ | ✅ | ✅ | |
| — Debian Security Tracker | ✅ | ✅ | ✅ | ✅ | |
| — Ubuntu USN | ✅ | ✅ | ✅ | ✅ | |
| — RHEL/CentOS OVAL | — | ✅ | ✅ | ✅ | |
| — SUSE OVAL | — | ✅ | ✅ | ✅ | |
| — Astra Linux | — | — | ✅ | ✅ | Russian distro |
| **CERTs / National CSIRTs** | | | | | |
| — CISA KEV | ✅ | ✅ | ✅ | ✅ | Known Exploited Vulns |
| — CISA ICS-CERT | — | ✅ | ✅ | ✅ | Industrial control systems |
| — CERT-CC | — | ✅ | ✅ | ✅ | Carnegie Mellon |
| — CERT-FR | — | ✅ | ✅ | ✅ | France |
| — CERT-Bund (BSI) | — | ✅ | ✅ | ✅ | Germany |
| — CERT-In | — | ✅ | ✅ | ✅ | India |
| — ACSC | — | ✅ | ✅ | ✅ | Australia |
| — CCCS | — | ✅ | ✅ | ✅ | Canada |
| — KISA | — | ✅ | ✅ | ✅ | South Korea |
| — JVN | — | ✅ | ✅ | ✅ | Japan |
| **Russian Federation Sources** | | | | | |
| — FSTEC BDU | — | — | ✅ | ✅ | Russian vuln database |
| — NKCKI | — | — | ✅ | ✅ | Critical infrastructure |
| **Vendor PSIRTs** | | | | | |
| — Microsoft MSRC | — | ✅ | ✅ | ✅ | |
| — Cisco PSIRT | — | ✅ | ✅ | ✅ | |
| — Oracle CPU | — | ✅ | ✅ | ✅ | |
| — VMware | — | ✅ | ✅ | ✅ | |
| — Adobe PSIRT | — | ✅ | ✅ | ✅ | |
| — Apple Security | — | ✅ | ✅ | ✅ | |
| — Chromium | — | ✅ | ✅ | ✅ | |
| **ICS/SCADA** | | | | | |
| — Kaspersky ICS-CERT | — | — | ✅ | ✅ | Industrial security |
| **Risk Scoring** | | | | | |
| — EPSS v4 | ✅ | ✅ | ✅ | ✅ | Exploit prediction |
| **Enterprise Features** | | | | | |
| Custom Advisory Connectors | — | — | — | ✅ | Private feeds |
| Advisory Merge Engine | — | — | — | ✅ | Conflict resolution |
| Connector Health CLI | ✅ | ✅ | ✅ | ✅ | `stella db connectors status` |
**Connector Operations Matrix (Status/Auth/Runbooks):**
| Connector | Status | Auth | Ops Runbook |
| --- | --- | --- | --- |
| NVD (NIST) | stable | api-key | [docs/modules/concelier/operations/connectors/nvd.md](docs/modules/concelier/operations/connectors/nvd.md) |
| CVE (MITRE) | stable | none | [docs/modules/concelier/operations/connectors/cve.md](docs/modules/concelier/operations/connectors/cve.md) |
| OSV | stable | none | [docs/modules/concelier/operations/connectors/osv.md](docs/modules/concelier/operations/connectors/osv.md) |
| GHSA | stable | api-token | [docs/modules/concelier/operations/connectors/ghsa.md](docs/modules/concelier/operations/connectors/ghsa.md) |
| Alpine SecDB | stable | none | [docs/modules/concelier/operations/connectors/alpine.md](docs/modules/concelier/operations/connectors/alpine.md) |
| Debian Security Tracker | stable | none | [docs/modules/concelier/operations/connectors/debian.md](docs/modules/concelier/operations/connectors/debian.md) |
| Ubuntu USN | stable | none | [docs/modules/concelier/operations/connectors/ubuntu.md](docs/modules/concelier/operations/connectors/ubuntu.md) |
| Red Hat OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/redhat.md](docs/modules/concelier/operations/connectors/redhat.md) |
| SUSE OVAL/CSAF | stable | none | [docs/modules/concelier/operations/connectors/suse.md](docs/modules/concelier/operations/connectors/suse.md) |
| Astra Linux | beta | none | [docs/modules/concelier/operations/connectors/astra.md](docs/modules/concelier/operations/connectors/astra.md) |
| CISA KEV | stable | none | [docs/modules/concelier/operations/connectors/cve-kev.md](docs/modules/concelier/operations/connectors/cve-kev.md) |
| CISA ICS-CERT | stable | none | [docs/modules/concelier/operations/connectors/ics-cisa.md](docs/modules/concelier/operations/connectors/ics-cisa.md) |
| CERT-CC | stable | none | [docs/modules/concelier/operations/connectors/cert-cc.md](docs/modules/concelier/operations/connectors/cert-cc.md) |
| CERT-FR | stable | none | [docs/modules/concelier/operations/connectors/cert-fr.md](docs/modules/concelier/operations/connectors/cert-fr.md) |
| CERT-Bund | stable | none | [docs/modules/concelier/operations/connectors/certbund.md](docs/modules/concelier/operations/connectors/certbund.md) |
| CERT-In | stable | none | [docs/modules/concelier/operations/connectors/cert-in.md](docs/modules/concelier/operations/connectors/cert-in.md) |
| ACSC | stable | none | [docs/modules/concelier/operations/connectors/acsc.md](docs/modules/concelier/operations/connectors/acsc.md) |
| CCCS | stable | none | [docs/modules/concelier/operations/connectors/cccs.md](docs/modules/concelier/operations/connectors/cccs.md) |
| KISA | stable | none | [docs/modules/concelier/operations/connectors/kisa.md](docs/modules/concelier/operations/connectors/kisa.md) |
| JVN | stable | none | [docs/modules/concelier/operations/connectors/jvn.md](docs/modules/concelier/operations/connectors/jvn.md) |
| FSTEC BDU | beta | none | [docs/modules/concelier/operations/connectors/fstec-bdu.md](docs/modules/concelier/operations/connectors/fstec-bdu.md) |
| NKCKI | beta | none | [docs/modules/concelier/operations/connectors/nkcki.md](docs/modules/concelier/operations/connectors/nkcki.md) |
| Microsoft MSRC | stable | none | [docs/modules/concelier/operations/connectors/msrc.md](docs/modules/concelier/operations/connectors/msrc.md) |
| Cisco PSIRT | stable | oauth | [docs/modules/concelier/operations/connectors/cisco.md](docs/modules/concelier/operations/connectors/cisco.md) |
| Oracle CPU | stable | none | [docs/modules/concelier/operations/connectors/oracle.md](docs/modules/concelier/operations/connectors/oracle.md) |
| VMware | stable | none | [docs/modules/concelier/operations/connectors/vmware.md](docs/modules/concelier/operations/connectors/vmware.md) |
| Adobe PSIRT | stable | none | [docs/modules/concelier/operations/connectors/adobe.md](docs/modules/concelier/operations/connectors/adobe.md) |
| Apple Security | stable | none | [docs/modules/concelier/operations/connectors/apple.md](docs/modules/concelier/operations/connectors/apple.md) |
| Chromium | stable | none | [docs/modules/concelier/operations/connectors/chromium.md](docs/modules/concelier/operations/connectors/chromium.md) |
| Kaspersky ICS-CERT | beta | none | [docs/modules/concelier/operations/connectors/kaspersky-ics.md](docs/modules/concelier/operations/connectors/kaspersky-ics.md) |
| EPSS v4 | stable | none | [docs/modules/concelier/operations/connectors/epss.md](docs/modules/concelier/operations/connectors/epss.md) |
---
## VEX Processing (Excititor/VexLens)
*VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX VEX Ingestion | ✅ | ✅ | ✅ | |
| CSAF VEX Ingestion | — | ✅ | ✅ | |
| **VEX Consensus Engine (5-state)** | ✅ | ✅ | ✅ | Lattice-based resolution |
| Trust Vector Scoring (P/C/R) | ✅ | ✅ | ✅ | |
| **Trust Weight Scoring (9 factors)** | ✅ | ✅ | ✅ | Issuer, age, specificity, etc. |
| Claim Strength Multipliers | ✅ | ✅ | ✅ | |
| Freshness Decay | ✅ | ✅ | ✅ | 14-day half-life |
| Conflict Detection & Penalty | ✅ | ✅ | ✅ | K4 lattice logic |
| VEX Conflict Studio UI | ✅ | ✅ | ✅ | Visual resolution |
| VEX Hub (Distribution) | ✅ | ✅ | ✅ | Internal VEX network |
| **VEX Webhook Distribution** | — | ✅ | ✅ | Pub/sub notifications |
| **CSAF Provider Connectors (7)** | — | ✅ | ✅ | RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware |
| **Issuer Trust Registry** | — | ✅ | ✅ | Key lifecycle, trust overrides |
| **VEX from Drift Generation** | — | ✅ | ✅ | `stella vex gen --from-drift` |
| **Trust Calibration Service** | — | — | ✅ | Org-specific tuning |
| **Consensus Rationale Export** | — | — | ✅ | Audit-grade explainability |
**CLI Commands:**
- `stella vex verify ` — Verify VEX statement signature and content
- `stella vex consensus ` — Show consensus status for digest
- `stella vex evidence export` — Export VEX evidence for audit
- `stella vex webhooks list/add/remove` — Manage VEX distribution
- `stella issuer keys list/create/rotate/revoke` — Issuer key management
---
## Policy Engine
*Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | ✅ | ✅ | ✅ | Basic rules |
| **Belnap K4 Four-Valued Logic** | ✅ | ✅ | ✅ | True/False/Both/Neither |
| Security Atoms (6 types) | ✅ | ✅ | ✅ | |
| Disposition Selection (ECMA-424) | ✅ | ✅ | ✅ | |
| Minimum Confidence Gate | ✅ | ✅ | ✅ | |
| **10+ Policy Gate Types** | ✅ | ✅ | ✅ | Severity, reachability, age, etc. |
| **6 Risk Score Providers** | ✅ | ✅ | ✅ | CVSS, KEV, EPSS, FixChain, etc. |
| Unknowns Budget Gate | — | ✅ | ✅ | |
| **Determinization System** | — | ✅ | ✅ | Signal weights, decay, uncertainty |
| **Policy Simulation** | — | ✅ | ✅ | `stella policy simulate` |
| Source Quota Gate | — | — | ✅ | 60% cap enforcement |
| Reachability Requirement Gate | — | — | ✅ | For criticals |
| **OPA/Rego Integration** | — | — | ✅ | Custom policies |
| **Exception Objects & Workflow** | — | — | ✅ | Approval chains |
| **Score Policy YAML** | — | — | ✅ | Full customization |
| **Configurable Scoring Profiles** | — | — | ✅ | Simple/Advanced |
| **Policy Version History** | — | — | ✅ | Audit trail |
| **Verdict Attestations** | — | — | ✅ | DSSE/Rekor signed verdicts |
**CLI Commands:**
- `stella policy list/show/create/update/delete` — Policy CRUD
- `stella policy simulate ` — Simulate policy evaluation
- `stella policy validate ` — Validate policy YAML
- `stella policy decisions list/show` — View policy decisions
- `stella policy gates list` — List available gate types
---
## Attestation & Signing
*Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | ✅ | ✅ | ✅ | |
| in-toto Statement Structure | ✅ | ✅ | ✅ | |
| **25+ Predicate Types** | ✅ | ✅ | ✅ | SBOM, VEX, verdict, etc. |
| SBOM Predicate | ✅ | ✅ | ✅ | |
| VEX Predicate | ✅ | ✅ | ✅ | |
| Reachability Predicate | — | ✅ | ✅ | |
| Policy Decision Predicate | — | ✅ | ✅ | |
| Verdict Manifest (signed) | — | ✅ | ✅ | |
| Verdict Replay Verification | — | ✅ | ✅ | |
| **Keyless Signing (Sigstore)** | — | ✅ | ✅ | Fulcio-based OIDC |
| **Delta Attestations (4 types)** | — | ✅ | ✅ | VEX/SBOM/Verdict/Reachability |
| **Attestation Chains** | — | ✅ | ✅ | Linked attestation graphs |
| **Human Approval Predicate** | — | — | ✅ | Workflow attestation |
| **Boundary Predicate** | — | — | ✅ | Network exposure |
| **Key Rotation Service** | — | — | ✅ | Automated key lifecycle |
| **Trust Anchor Management** | — | — | ✅ | Root CA management |
| **SLSA Provenance v1.0** | — | — | ✅ | Supply chain |
| **Rekor Transparency Log** | — | — | ✅ | Public attestation |
| **Cosign Integration** | — | — | ✅ | Sigstore ecosystem |
**CLI Commands:**
- `stella attest sign ` — Sign attestation
- `stella attest verify ` — Verify attestation signature
- `stella attest predicates list` — List supported predicate types
- `stella attest export ` — Export attestations for digest
- `stella keys list/create/rotate/revoke` — Key management
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance. 8 signature profiles supported.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | ✅ | ✅ | ✅ | |
| FIPS 140-2/3 Mode | ✅ | ✅ | ✅ | US Federal |
| eIDAS Signatures | ✅ | ✅ | ✅ | EU Compliance |
| GOST/CryptoPro | ✅ | ✅ | ✅ | Russia |
| SM National Standard | ✅ | ✅ | ✅ | China |
| Post-Quantum (Dilithium) | ✅ | ✅ | ✅ | Future-proof |
| Crypto Plugin Architecture | ✅ | ✅ | ✅ | Custom HSM |
| **Multi-Profile Signing** | — | ✅ | ✅ | Sign with multiple algorithms |
| **SM Remote Service** | — | — | ✅ | Chinese market HSM integration |
| **HSM/PKCS#11 Integration** | — | — | ✅ | Hardware security modules |
**CLI Commands:**
- `stella crypto profiles list` — List available crypto profiles
- `stella crypto verify --profile ` — Verify with specific profile
- `stella crypto plugins list/status` — Manage crypto plugins
---
## Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | ✅ | ✅ | ✅ | |
| Content-Addressed IDs | ✅ | ✅ | ✅ | SHA-256 |
| Replay Manifest (SRM) | ✅ | ✅ | ✅ | |
| `stella replay` CLI | ✅ | ✅ | ✅ | |
| Score Explanation Arrays | ✅ | ✅ | ✅ | |
| Evidence Freshness Multipliers | — | ✅ | ✅ | |
| Proof Coverage Metrics | — | ✅ | ✅ | |
| **Fidelity Metrics (BF/SF/PF)** | — | — | ✅ | Audit dashboards |
| **FN-Drift Rate Tracking** | — | — | ✅ | Quality monitoring |
| **Determinism Gate CI** | — | — | ✅ | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | ✅ | ✅ | ✅ | |
| EPSS v4 Probability | ✅ | ✅ | ✅ | |
| Priority Band Classification | ✅ | ✅ | ✅ | |
| EPSS-at-Scan Immutability | — | ✅ | ✅ | |
| Unified Confidence Model | — | ✅ | ✅ | 5-factor |
| **Entropy-Based Scoring** | — | — | ✅ | Advanced |
| **Gate Multipliers** | — | — | ✅ | Reachability-aware |
| **Unknowns Pressure Factor** | — | — | ✅ | Risk budgets |
| **Custom Scoring Profiles** | — | — | ✅ | Org-specific |
---
## Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | ✅ | ✅ | ✅ | |
| Evidence Graph View | ✅ | ✅ | ✅ | Basic |
| Decision Capsules | ✅ | ✅ | ✅ | |
| **Findings Ledger (Immutable)** | — | — | ✅ | Audit trail |
| **Evidence Locker (Sealed)** | — | — | ✅ | Export/import |
| **Evidence TTL Policies** | — | — | ✅ | Retention rules |
| **Evidence Size Budgets** | — | — | ✅ | Storage governance |
| **Retention Tiers** | — | — | ✅ | Hot/Warm/Cold |
| **Privacy Controls** | — | — | ✅ | Redaction |
| **Audit Pack Export** | — | — | ✅ | Compliance bundles |
---
## CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | ✅ | ✅ | ✅ | |
| SBOM Inspect & Diff | ✅ | ✅ | ✅ | |
| Deterministic Replay | ✅ | ✅ | ✅ | |
| Attestation Verify | — | ✅ | ✅ | |
| Unknowns Budget Check | — | ✅ | ✅ | |
| Evidence Export | — | ✅ | ✅ | |
| **Audit Pack Operations** | — | — | ✅ | Full workflow |
| **Binary Match Inspection** | — | — | ✅ | Advanced |
| **Crypto Plugin Commands** | — | — | ✅ | Regional crypto |
| **Admin Utilities** | — | — | ✅ | Ops tooling |
---
## Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | ✅ | ✅ | ✅ | |
| Findings Row Component | ✅ | ✅ | ✅ | |
| Evidence Drawer | ✅ | ✅ | ✅ | |
| Proof Tab | ✅ | ✅ | ✅ | |
| Confidence Meter | ✅ | ✅ | ✅ | |
| Locale Support | — | ✅ | ✅ | Cyrillic, etc. |
| Reproduce Verdict Button | — | ✅ | ✅ | |
| **Audit Trail UI** | — | — | ✅ | Full history |
| **Trust Algebra Panel** | — | — | ✅ | P/C/R visualization |
| **Claim Comparison Table** | — | — | ✅ | Conflict view |
| **Policy Chips Display** | — | — | ✅ | Gate status |
| **Reachability Mini-Map** | — | — | ✅ | Path visualization |
| **Runtime Timeline** | — | — | ✅ | Temporal view |
| **Operator/Auditor Toggle** | — | — | ✅ | Role separation |
| **Knowledge Snapshot UI** | — | — | ✅ | Air-gap prep |
| **Keyboard Shortcuts** | — | — | ✅ | Power users |
---
## Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | ✅ | ✅ | ✅ | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | ✅ | ✅ | ✅ | |
| 429 Backpressure | ✅ | ✅ | ✅ | |
| Retry-After Headers | ✅ | ✅ | ✅ | |
| **Priority Queue** | — | — | ✅ | Guaranteed capacity |
| **Burst Allowance** | — | — | ✅ | 3× daily for 1hr |
| **Custom Quotas** | — | — | ✅ | Per contract |
---
## Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | — | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | — | ✅ | ✅ | |
| One-Command Replay | — | ✅ | ✅ | |
| **Sealed Knowledge Snapshots** | — | — | ✅ | Full feed export |
| **Air-Gap Bundle Manifest** | — | — | ✅ | Transfer packages |
| **No-Egress Enforcement** | — | — | ✅ | Strict isolation |
| **Offline JWT (90d)** | — | — | ✅ | Extended tokens |
---
## Deployment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | ✅ | ✅ | ✅ | Single-node |
| Helm Chart (K8s) | — | ✅ | ✅ | |
| PostgreSQL 16+ | ✅ | ✅ | ✅ | |
| Valkey 8.0+ | ✅ | ✅ | ✅ | |
| RustFS (S3) | — | ✅ | ✅ | |
| **High-Availability** | — | — | ✅ | Multi-replica |
| **Horizontal Scaling** | — | — | ✅ | Auto-scale |
| **Dedicated Capacity** | — | — | ✅ | Reserved resources |
---
## Access Control & Identity (Authority)
*Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | ✅ | ✅ | ✅ | |
| API Keys | ✅ | ✅ | ✅ | With scopes and expiration |
| SSO/SAML Integration | ✅ | ✅ | ✅ | Okta, Azure AD |
| OIDC Support | ✅ | ✅ | ✅ | |
| Basic RBAC | ✅ | ✅ | ✅ | User/Admin |
| **75+ Authorization Scopes** | ✅ | ✅ | ✅ | Fine-grained permissions |
| **DPoP (Sender Constraints)** | — | ✅ | ✅ | Token binding |
| **mTLS Client Certificates** | — | ✅ | ✅ | Certificate auth |
| **Device Authorization Flow** | — | ✅ | ✅ | CLI/IoT devices |
| **PAR Support** | — | ✅ | ✅ | Pushed Authorization Requests |
| **User Federation (LDAP/SAML)** | — | — | ✅ | Directory integration |
| **Multi-Factor Authentication** | — | — | ✅ | TOTP/WebAuthn |
| **Advanced RBAC** | — | — | ✅ | Team-based scopes |
| **Multi-Tenant Management** | — | — | ✅ | Org hierarchy |
| **Audit Log Export** | — | — | ✅ | SIEM integration |
**CLI Commands:**
- `stella auth clients list/create/delete` — OAuth client management
- `stella auth roles list/show/assign` — Role management
- `stella auth scopes list` — List available scopes
- `stella auth token introspect ` — Token introspection
- `stella auth api-keys list/create/revoke` — API key management
---
## Notifications & Integrations
*10 notification channel types with template engine, routing rules, and escalation.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| In-App Notifications | ✅ | ✅ | ✅ | |
| Email Notifications | — | ✅ | ✅ | |
| EPSS Change Alerts | — | ✅ | ✅ | |
| Slack Integration | ✅ | ✅ | ✅ | Basic |
| Teams Integration | ✅ | ✅ | ✅ | Basic |
| **Discord Integration** | — | ✅ | ✅ | Webhook-based |
| **PagerDuty Integration** | — | ✅ | ✅ | Incident management |
| **OpsGenie Integration** | — | ✅ | ✅ | Alert routing |
| Zastava Registry Hooks | ✅ | ✅ | ✅ | Auto-scan on push |
| **Zastava K8s Admission** | — | ✅ | ✅ | Validating/Mutating webhooks |
| **Template Engine** | — | — | ✅ | Customizable templates |
| **Channel Routing Rules** | — | — | ✅ | Severity/team routing |
| **Escalation Policies** | — | — | ✅ | Time-based escalation |
| **Notification Studio UI** | — | — | ✅ | Visual rule builder |
| **Custom Webhooks** | — | — | ✅ | Any endpoint |
| **CI/CD Gates** | — | — | ✅ | GitLab/GitHub/Jenkins |
| **SCM Integrations** | — | — | ✅ | PR comments, status checks |
| **Issue Tracker Integration** | — | — | ✅ | Jira, GitHub Issues |
| **Enterprise Connectors** | — | — | ✅ | Grid/Premium APIs |
**CLI Commands:**
- `stella notify channels list/test` — Channel management
- `stella notify rules list/create` — Routing rules
- `stella zastava install/configure/status` — K8s webhook management
---
## Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | ✅ | ✅ | ✅ | |
| **Scheduled Scans** | — | — | ✅ | Cron-based |
| **Task Pack Orchestration** | — | — | ✅ | Declarative workflows |
| **EPSS Daily Refresh** | — | — | ✅ | Auto-update |
| **Event-Driven Scanning** | — | — | ✅ | On registry push |
---
## Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | ✅ | ✅ | ✅ | |
| Opt-In Telemetry | ✅ | ✅ | ✅ | |
| **OpenTelemetry Traces** | — | — | ✅ | Full tracing |
| **Prometheus Export** | — | — | ✅ | Custom dashboards |
| **Quality KPIs Dashboard** | — | — | ✅ | Triage metrics |
| **SLA Monitoring** | — | — | ✅ | Uptime tracking |
---
## Support & Services
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | ✅ | ✅ | ✅ | |
| Community Forums | ✅ | ✅ | ✅ | |
| GitHub Issues | ✅ | ✅ | ✅ | |
| **Email Support** | — | — | ✅ | Business hours |
| **Priority Support** | — | — | ✅ | 4hr response |
| **24/7 Critical Support** | — | — | ✅ | Add-on |
| **Dedicated CSM** | — | — | ✅ | Named contact |
| **Professional Services** | — | — | ✅ | Implementation |
| **Training & Certification** | — | — | ✅ | Team enablement |
| **SLA Guarantee** | — | — | ✅ | 99.9% uptime |
---
## Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | ✅ | ✅ | ✅ | |
| Debian (EVR) | ✅ | ✅ | ✅ | |
| Alpine (APK) | ✅ | ✅ | ✅ | |
| SemVer | ✅ | ✅ | ✅ | |
| PURL Resolution | ✅ | ✅ | ✅ | |
---
## Summary by Tier
### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation
- All language analyzers (11 languages)
- All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
- Full VEX processing + VEX Hub + Conflict Studio
- SSO/SAML/OIDC authentication
- Zastava registry webhooks
- Slack/Teams notifications
- Core determinism + replay
- Docker Compose deployment
- Community support
### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis (backport detection)
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications + EPSS alerts
- Monthly Offline Update Kit access
**Registration required, 30-day token renewal**
### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, compliance-driven, multi-team
Everything in Community, plus:
- **Scale**: HA, horizontal scaling, priority queue, burst allowance
- **Multi-Team**: Advanced RBAC (scopes), multi-tenant, org hierarchy
- **Advanced Detection**: Binary fingerprints, trust calibration
- **Compliance**: SLSA provenance, Rekor transparency, audit pack export
- **Air-Gap**: Sealed snapshots, 90-day offline tokens, no-egress mode
- **Automation**: CI/CD gates, custom webhooks, scheduled scans
- **Observability**: OpenTelemetry, Prometheus, KPI dashboards
- **Support**: SLA (99.9%), priority support (4hr), dedicated CSM
---
---
> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned
---
*Last updated: 16 Jan 2026 (rev 5.1 - Documentation Sprint 024)*