git.stella-ops.org/docs/04_FEATURE_MATRIX.md

4 · Feature Matrix — Stella Ops

(rev 4.0 · 24 Dec 2025)

Looking for a quick read? Check key-features.md for the short capability cards; this matrix keeps full tier-by-tier detail.

---

Pricing Tiers Overview

Tier	Scans/Day	Registration	Token Refresh	Target User	Price
Free	33	None	12h auto	Individual developer	$0
Community	333	Required	30d manual	Startups, small teams (<25)	$0
Enterprise	2,000+	SSO/Contract	Annual	Organizations (25+), regulated	Contact Sales

Key Differences:

• Free → Community: 10× quota, deep analysis, Helm/K8s, email alerts, requires registration
• Community → Enterprise: Scale (HA), multi-team (RBAC scopes), automation (CI/CD), support (SLA)

---

Competitive Moat Features

These differentiators are available across all tiers to build brand and adoption.

Capability	Free	Community	Enterprise	Notes
Signed Replayable Risk Verdicts	✅	✅	✅	Core differentiator
Decision Capsules	✅	✅	✅	Audit-grade evidence bundles
VEX Decisioning Engine	✅	✅	✅	Trust lattice + conflict resolution
Reachability with Portable Proofs	✅	✅	✅	Three-layer analysis
Smart-Diff (Semantic Risk Delta)	✅	✅	✅	Material change detection
Unknowns as First-Class State	✅	✅	✅	Uncertainty budgets
Deterministic Replay	✅	✅	✅	stella replay srm.yaml

---

SBOM & Ingestion

Capability	Free	Community	Enterprise	Notes
Trivy-JSON Ingestion	✅	✅	✅
SPDX-JSON 3.0.1 Ingestion	✅	✅	✅
CycloneDX 1.6/1.7 Ingestion	✅	✅	✅
Auto-format Detection	✅	✅	✅
Delta-SBOM Cache	✅	✅	✅	Warm scans <1s
SBOM Generation (all formats)	✅	✅	✅
Semantic SBOM Diff	✅	✅	✅
BYOS (Bring-Your-Own-SBOM)	✅	✅	✅
SBOM Lineage Ledger	—	—	✅	Full versioned history
SBOM Lineage API	—	—	✅	Traversal queries

---

Scanning & Detection

Capability	Free	Community	Enterprise	Notes
CVE Lookup via Local DB	✅	✅	✅
Licence-Risk Detection	⏳	⏳	⏳	Q4-2025
Language Analyzers (All 8)
— .NET/C#, Java, Go, Python	✅	✅	✅
— Node.js, Ruby, Bun, Native	✅	✅	✅
Progressive Fidelity Modes
— Quick Mode	✅	✅	✅
— Standard Mode	✅	✅	✅
— Deep Mode	—	✅	✅	Full analysis
Base Image Detection	✅	✅	✅
Layer-Aware Analysis	✅	✅	✅
Concurrent Scan Workers	1	3	Unlimited

---

Reachability Analysis

Capability	Free	Community	Enterprise	Notes
Static Call Graph	✅	✅	✅
Entrypoint Detection	✅	✅	✅	9+ framework types
BFS Reachability	✅	✅	✅
Reachability Drift Detection	✅	✅	✅
Binary Loader Resolution	—	✅	✅	ELF/PE/Mach-O
Feature Flag/Config Gating	—	✅	✅	Layer 3 analysis
Runtime Signal Correlation	—	—	✅	Zastava integration
Gate Detection (auth/admin)	—	—	✅	Enterprise policies
Path Witness Generation	—	—	✅	Audit evidence
Reachability Mini-Map API	—	—	✅	UI visualization
Runtime Timeline API	—	—	✅	Temporal analysis

---

Binary Analysis (BinaryIndex)

Capability	Free	Community	Enterprise	Notes
Binary Identity Extraction	✅	✅	✅	Build-ID, hashes
Build-ID Vulnerability Lookup	✅	✅	✅
Debian/Ubuntu Corpus	✅	✅	✅
RPM/RHEL Corpus	—	✅	✅
Patch-Aware Backport Detection	—	✅	✅
PE/Mach-O/ELF Parsers	—	✅	✅
Binary Fingerprint Generation	—	—	✅	Advanced detection
Fingerprint Matching Engine	—	—	✅	Similarity search
DWARF/Symbol Analysis	—	—	✅	Debug symbols

---

Advisory Sources (Concelier)

Source	Free	Community	Enterprise	Notes
NVD	✅	✅	✅
GHSA	✅	✅	✅
OSV	✅	✅	✅
Alpine SecDB	✅	✅	✅
Debian Security Tracker	✅	✅	✅
Ubuntu USN	✅	✅	✅
RHEL/CentOS OVAL	—	✅	✅
KEV (Exploited Vulns)	✅	✅	✅
EPSS v4	✅	✅	✅
Custom Advisory Connectors	—	—	✅	Private feeds
Advisory Merge Engine	—	—	✅	Conflict resolution

---

VEX Processing (Excititor)

Capability	Free	Community	Enterprise	Notes
OpenVEX Ingestion	✅	✅	✅
CycloneDX VEX Ingestion	✅	✅	✅
CSAF VEX Ingestion	—	✅	✅
VEX Consensus Resolver	✅	✅	✅
Trust Vector Scoring (P/C/R)	✅	✅	✅
Claim Strength Multipliers	✅	✅	✅
Freshness Decay	✅	✅	✅
Conflict Detection & Penalty	✅	✅	✅	K4 lattice logic
VEX Conflict Studio UI	✅	✅	✅	Visual resolution
VEX Hub (Distribution)	✅	✅	✅	Internal VEX network
Trust Calibration Service	—	—	✅	Org-specific tuning

---

Policy Engine

Capability	Free	Community	Enterprise	Notes
YAML Policy Rules	✅	✅	✅	Basic rules
Belnap K4 Four-Valued Logic	✅	✅	✅
Security Atoms (6 types)	✅	✅	✅
Disposition Selection (ECMA-424)	✅	✅	✅
Minimum Confidence Gate	✅	✅	✅
Unknowns Budget Gate	—	✅	✅
Source Quota Gate	—	—	✅	60% cap enforcement
Reachability Requirement Gate	—	—	✅	For criticals
OPA/Rego Integration	—	—	✅	Custom policies
Exception Objects & Workflow	—	—	✅	Approval chains
Score Policy YAML	—	—	✅	Full customization
Configurable Scoring Profiles	—	—	✅	Simple/Advanced
Policy Version History	—	—	✅	Audit trail

---

Attestation & Signing

Capability	Free	Community	Enterprise	Notes
DSSE Envelope Signing	✅	✅	✅
in-toto Statement Structure	✅	✅	✅
SBOM Predicate	✅	✅	✅
VEX Predicate	✅	✅	✅
Reachability Predicate	—	✅	✅
Policy Decision Predicate	—	✅	✅
Verdict Manifest (signed)	—	✅	✅
Verdict Replay Verification	—	✅	✅
Human Approval Predicate	—	—	✅	Workflow attestation
Boundary Predicate	—	—	✅	Network exposure
Key Rotation Management	—	—	✅	Enterprise key ops
SLSA Provenance v1.0	—	—	✅	Supply chain
Rekor Transparency Log	—	—	✅	Public attestation
Cosign Integration	—	—	✅	Sigstore ecosystem

---

Regional Crypto (Sovereign Profiles)

Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance.

Capability	Free	Community	Enterprise	Notes
Default Crypto (Ed25519)	✅	✅	✅
FIPS 140-2/3 Mode	✅	✅	✅	US Federal
eIDAS Signatures	✅	✅	✅	EU Compliance
GOST/CryptoPro	✅	✅	✅	Russia
SM National Standard	✅	✅	✅	China
Post-Quantum (Dilithium)	✅	✅	✅	Future-proof
Crypto Plugin Architecture	✅	✅	✅	Custom HSM

---

Determinism & Reproducibility

Capability	Free	Community	Enterprise	Notes
Canonical JSON Serialization	✅	✅	✅
Content-Addressed IDs	✅	✅	✅	SHA-256
Replay Manifest (SRM)	✅	✅	✅
stella replay CLI	✅	✅	✅
Score Explanation Arrays	✅	✅	✅
Evidence Freshness Multipliers	—	✅	✅
Proof Coverage Metrics	—	✅	✅
Fidelity Metrics (BF/SF/PF)	—	—	✅	Audit dashboards
FN-Drift Rate Tracking	—	—	✅	Quality monitoring
Determinism Gate CI	—	—	✅	Automated checks

---

Scoring & Risk Assessment

Capability	Free	Community	Enterprise	Notes
CVSS v4.0 Display	✅	✅	✅
EPSS v4 Probability	✅	✅	✅
Priority Band Classification	✅	✅	✅
EPSS-at-Scan Immutability	—	✅	✅
Unified Confidence Model	—	✅	✅	5-factor
Entropy-Based Scoring	—	—	✅	Advanced
Gate Multipliers	—	—	✅	Reachability-aware
Unknowns Pressure Factor	—	—	✅	Risk budgets
Custom Scoring Profiles	—	—	✅	Org-specific

---

Evidence & Findings

Capability	Free	Community	Enterprise	Notes
Findings List	✅	✅	✅
Evidence Graph View	✅	✅	✅	Basic
Decision Capsules	✅	✅	✅
Findings Ledger (Immutable)	—	—	✅	Audit trail
Evidence Locker (Sealed)	—	—	✅	Export/import
Evidence TTL Policies	—	—	✅	Retention rules
Evidence Size Budgets	—	—	✅	Storage governance
Retention Tiers	—	—	✅	Hot/Warm/Cold
Privacy Controls	—	—	✅	Redaction
Audit Pack Export	—	—	✅	Compliance bundles

---

CLI Capabilities

Capability	Free	Community	Enterprise	Notes
Scanner Commands	✅	✅	✅
SBOM Inspect & Diff	✅	✅	✅
Deterministic Replay	✅	✅	✅
Attestation Verify	—	✅	✅
Unknowns Budget Check	—	✅	✅
Evidence Export	—	✅	✅
Audit Pack Operations	—	—	✅	Full workflow
Binary Match Inspection	—	—	✅	Advanced
Crypto Plugin Commands	—	—	✅	Regional crypto
Admin Utilities	—	—	✅	Ops tooling

---

Web UI Capabilities

Capability	Free	Community	Enterprise	Notes
Dark/Light Mode	✅	✅	✅
Findings Row Component	✅	✅	✅
Evidence Drawer	✅	✅	✅
Proof Tab	✅	✅	✅
Confidence Meter	✅	✅	✅
Locale Support	—	✅	✅	Cyrillic, etc.
Reproduce Verdict Button	—	✅	✅
Audit Trail UI	—	—	✅	Full history
Trust Algebra Panel	—	—	✅	P/C/R visualization
Claim Comparison Table	—	—	✅	Conflict view
Policy Chips Display	—	—	✅	Gate status
Reachability Mini-Map	—	—	✅	Path visualization
Runtime Timeline	—	—	✅	Temporal view
Operator/Auditor Toggle	—	—	✅	Role separation
Knowledge Snapshot UI	—	—	✅	Air-gap prep
Keyboard Shortcuts	—	—	✅	Power users

---

Quota & Operations

Capability	Free	Community	Enterprise	Notes
Scans per Day	33	333	2,000+	Soft limit
Usage API (/quota)	✅	✅	✅
Client-JWT (Online)	12h	30d	Annual	Token duration
Rate Limiting	✅	✅	✅
429 Backpressure	✅	✅	✅
Retry-After Headers	✅	✅	✅
Priority Queue	—	—	✅	Guaranteed capacity
Burst Allowance	—	—	✅	3× daily for 1hr
Custom Quotas	—	—	✅	Per contract

---

Offline & Air-Gap

Capability	Free	Community	Enterprise	Notes
Offline Update Kits (OUK)	—	Monthly	Weekly	Feed freshness
Offline Signature Verify	—	✅	✅
One-Command Replay	—	✅	✅
Sealed Knowledge Snapshots	—	—	✅	Full feed export
Air-Gap Bundle Manifest	—	—	✅	Transfer packages
No-Egress Enforcement	—	—	✅	Strict isolation
Offline JWT (90d)	—	—	✅	Extended tokens

---

Deployment

Capability	Free	Community	Enterprise	Notes
Docker Compose	✅	✅	✅	Single-node
Helm Chart (K8s)	—	✅	✅
PostgreSQL 16+	✅	✅	✅
Valkey 8.0+	✅	✅	✅
RustFS (S3)	—	✅	✅
High-Availability	—	—	✅	Multi-replica
Horizontal Scaling	—	—	✅	Auto-scale
Dedicated Capacity	—	—	✅	Reserved resources

---

Access Control & Identity

Capability	Free	Community	Enterprise	Notes
Basic Auth	✅	✅	✅
API Keys	✅	✅	✅
SSO/SAML Integration	✅	✅	✅	Okta, Azure AD
OIDC Support	✅	✅	✅
Basic RBAC	✅	✅	✅	User/Admin
Advanced RBAC	—	—	✅	Team-based scopes
Multi-Tenant Management	—	—	✅	Org hierarchy
Audit Log Export	—	—	✅	SIEM integration

---

Notifications & Integrations

Capability	Free	Community	Enterprise	Notes
Email Notifications	—	✅	✅
In-App Notifications	✅	✅	✅
EPSS Change Alerts	—	✅	✅
Slack Integration	✅	✅	✅	Basic
Teams Integration	✅	✅	✅	Basic
Zastava Registry Hooks	✅	✅	✅	Auto-scan on push
Custom Webhooks	—	—	✅	Any endpoint
CI/CD Gates	—	—	✅	GitLab/GitHub/Jenkins
Enterprise Connectors	—	—	✅	Grid/Premium APIs

---

Scheduling & Automation

Capability	Free	Community	Enterprise	Notes
Manual Scans	✅	✅	✅
Scheduled Scans	—	—	✅	Cron-based
Task Pack Orchestration	—	—	✅	Declarative workflows
EPSS Daily Refresh	—	—	✅	Auto-update
Event-Driven Scanning	—	—	✅	On registry push

---

Observability & Telemetry

Capability	Free	Community	Enterprise	Notes
Basic Metrics	✅	✅	✅
Opt-In Telemetry	✅	✅	✅
OpenTelemetry Traces	—	—	✅	Full tracing
Prometheus Export	—	—	✅	Custom dashboards
Quality KPIs Dashboard	—	—	✅	Triage metrics
SLA Monitoring	—	—	✅	Uptime tracking

---

Support & Services

Capability	Free	Community	Enterprise	Notes
Documentation	✅	✅	✅
Community Forums	✅	✅	✅
GitHub Issues	✅	✅	✅
Email Support	—	—	✅	Business hours
Priority Support	—	—	✅	4hr response
24/7 Critical Support	—	—	✅	Add-on
Dedicated CSM	—	—	✅	Named contact
Professional Services	—	—	✅	Implementation
Training & Certification	—	—	✅	Team enablement
SLA Guarantee	—	—	✅	99.9% uptime

---

Version Comparison

Capability	Free	Community	Enterprise	Notes
RPM (NEVRA)	✅	✅	✅
Debian (EVR)	✅	✅	✅
Alpine (APK)	✅	✅	✅
SemVer	✅	✅	✅
PURL Resolution	✅	✅	✅

---

Summary by Tier

Free Tier (33 scans/day)

Target: Individual developers, OSS contributors, evaluation

• All language analyzers (8 languages)
• All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
• Full VEX processing + VEX Hub + Conflict Studio
• SSO/SAML/OIDC authentication
• Zastava registry webhooks
• Slack/Teams notifications
• Core determinism + replay
• Docker Compose deployment
• Community support

Community Tier (333 scans/day)

Target: Startups, small teams (<25), active open source projects

Everything in Free, plus:

• 10× scan quota
• Deep analysis mode
• Binary analysis (backport detection)
• Advanced attestation predicates
• Helm/K8s deployment
• Email notifications + EPSS alerts
• Monthly Offline Update Kit access

Registration required, 30-day token renewal

Enterprise Tier (2,000+ scans/day)

Target: Organizations 25+, compliance-driven, multi-team

Everything in Community, plus:

• Scale: HA, horizontal scaling, priority queue, burst allowance
• Multi-Team: Advanced RBAC (scopes), multi-tenant, org hierarchy
• Advanced Detection: Binary fingerprints, trust calibration
• Compliance: SLSA provenance, Rekor transparency, audit pack export
• Air-Gap: Sealed snapshots, 90-day offline tokens, no-egress mode
• Automation: CI/CD gates, custom webhooks, scheduled scans
• Observability: OpenTelemetry, Prometheus, KPI dashboards
• Support: SLA (99.9%), priority support (4hr), dedicated CSM

---

---

Legend: ✅ = Included | — = Not available | ⏳ = Planned

---

Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)