# Legal FAQ — Free‑Tier Quota & AGPL Compliance

> **Operational behaviour (limits, counters, delays) is documented in  
> [`33_333_QUOTA_OVERVIEW.md`](33_333_QUOTA_OVERVIEW.md).**  
> This page covers only the legal aspects of offering Stella Ops as a
> service or embedding it into another product while the free‑tier limits are
> in place.

---

## 1 · Does enforcing a quota violate the AGPL?

**No.**  
AGPL‑3.0 does not forbid implementing usage controls in the program itself.
Recipients retain the freedoms to run, study, modify and share the software.
The Stella Ops quota:

* Is enforced **solely at the service layer** (Redis counters) — the source
  code implementing the quota is published under AGPL‑3.0‑or‑later.
* Never disables functionality; it introduces *time delays* only after the
  free allocation is exhausted.
* Can be bypassed entirely by rebuilding from source and removing the
  enforcement middleware — the licence explicitly allows such modifications.

Therefore the quota complies with §§ 0 & 2 of the AGPL.

---

## 2 · Can I redistribute Stella Ops with the quota removed?

Yes, provided you:

1. **Publish the full corresponding source code** of your modified version  
   (AGPL § 13 & § 5c), and
2. Clearly indicate the changes (AGPL § 5a).

You may *retain* or *relax* the limits, or introduce your own tiering, as long
as the complete modified source is offered to every user of the service.

---

## 3 · Embedding in a proprietary appliance

You may ship Stella Ops inside a hardware or virtual appliance **only if** the
entire combined work is distributed under **AGPL‑3.0‑or‑later** and you supply
the full source code for both the scanner and your integration glue.

Shipping an AGPL component while keeping the rest closed‑source violates
§ 13 (*“remote network interaction”*).

---

## 4 · SaaS redistribution

Operating a public SaaS that offers Stella Ops scans to third parties triggers
the **network‑use clause**.  You must:

* Provide the complete, buildable source of **your running version** —
  including quota patches or UI branding.
* Present the offer **conspicuously** (e.g. a “Source Code” footer link).

Failure to do so breaches § 13 and can terminate your licence under § 8.

---

## 5 · Is e‑mail collection for the JWT legal?

* **Purpose limitation (GDPR Art. 5‑1 b):** address is used only to deliver the
  JWT or optional release notes.
* **Data minimisation (Art. 5‑1 c):** no name, IP or marketing preferences are
  required; a blank e‑mail body suffices.
* **Storage limitation (Art. 5‑1 e):** addresses are deleted or hashed after
  ≤ 7 days unless the sender opts into updates.

Hence the token workflow adheres to GDPR principles.

---

## 6 · Change‑log

| Version | Date | Notes |
|---------|------|-------|
| **2.0** | 2025‑07‑16 | Removed runtime quota details; linked to new authoritative overview. |
| 1.0 | 2024‑12‑20 | Initial legal FAQ. |