3a2100aa78
- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting. - Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling. - Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.
40 lines
5.6 KiB
Markdown
Executable File
40 lines
5.6 KiB
Markdown
Executable File
# 4 · Feature Matrix — **Stella Ops**
|
||
*(rev 2.0 · 14 Jul 2025)*
|
||
|
||
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
|
||
|
||
| Category | Capability | Free Tier (≤ 333 scans / day) | Community Plug‑in | Commercial Add‑On | Notes / ETA |
|
||
| ---------------------- | ------------------------------------- | ----------------------------- | ----------------- | ------------------- | ------------------------------------------ |
|
||
| **SBOM Ingestion** | Trivy‑JSON, SPDX‑JSON, CycloneDX‑JSON | ✅ | — | — | Auto‑detect on upload |
|
||
| | **Delta‑SBOM Cache** | ✅ | — | — | Warm scans < 1 s |
|
||
| **Scanning** | CVE lookup via local DB | ✅ | — | — | Update job ships weekly feeds |
|
||
| | Licence‑risk detection | ⏳ (roadmap Q4‑2025) | — | — | SPDX licence list |
|
||
| **Policy Engine** | YAML rules | ✅ | — | — | In‑UI editor |
|
||
| | OPA / Rego | ⏳ (β Q1‑2026) | ✅ plug‑in | — | Plug‑in enables Rego |
|
||
| **Registry** | Anonymous internal registry | ✅ | — | — | `StellaOps.Registry` image |
|
||
| **Attestation** | Cosign signing | ⏳ (Q1‑2026) | — | — | Requires `StellaOpsAttestor` |
|
||
| | SLSA provenance v1.0 | — | — | ⏳ (commercial 2026) | Enterprise need |
|
||
| | Rekor transparency log | — | ✅ plug‑in | — | Air‑gap replica support |
|
||
| **Quota & Throttling** | {{ quota_token }} scans/day soft limit | ✅ | — | — | Yellow banner at 200, wait‑wall post‑limit |
|
||
| | Usage API (`/quota`) | ✅ | — | — | CI can poll remaining scans |
|
||
| **User Interface** | Dark / light mode | ✅ | — | — | Auto‑detect OS theme |
|
||
| | Additional locale (Cyrillic) | ✅ | — | — | Default if `Accept‑Language: bg` or any other |
|
||
| | Audit trail | ✅ | — | — | PostgreSQL history |
|
||
| **Deployment** | Docker Compose bundle | ✅ | — | — | Single‑node |
|
||
| | Helm chart (K8s) | ✅ | — | — | Horizontal scaling |
|
||
| | High‑availability split services | — | — | ✅ (Add‑On) | HA Redis & PostgreSQL |
|
||
| **Extensibility** | .NET hot‑load plug‑ins | ✅ | N/A | — | AGPL reference SDK |
|
||
| | Community plug‑in marketplace | — | ⏳ (β Q2‑2026) | — | Moderated listings |
|
||
| **Telemetry** | Opt‑in anonymous metrics | ✅ | — | — | Required for quota satisfaction KPI |
|
||
| **Quota & Tokens** | **Client‑JWT issuance** | ✅ (online 12 h token) | — | — | `/connect/token` |
|
||
| | **Offline Client‑JWT (30 d)** | ✅ via OUK | — | — | Refreshed monthly in OUK |
|
||
| **Reachability & Evidence** | Graph-level reachability DSSE | ⏳ (Q1‑2026) | — | — | Mandatory attestation per graph; CAS+Rekor; see `docs/reachability/hybrid-attestation.md`. |
|
||
| | Edge-bundle DSSE (selective) | ⏳ (Q2‑2026) | — | — | Optional bundles for runtime/init/contested edges; Rekor publish capped. |
|
||
| | Cross-scanner determinism bench | ⏳ (Q1‑2026) | — | — | CI bench from 23-Nov advisory; determinism rate + CVSS σ. |
|
||
|
||
> **Legend:** ✅ = Included ⏳ = Planned — = Not applicable
|
||
> Rows marked “Commercial Add‑On” are optional paid components shipping outside the AGPL‑core; everything else is FOSS.
|
||
|
||
---
|
||
*Last updated: 14 Jul 2025 (quota rev 2.0).*
|