36 KiB
Executable File
36 KiB
Executable File
Feature Matrix — Stella Ops Suite
(rev 5.1 · 16 Jan 2026)
Looking for a quick read? Check
key-features.mdfor the short capability cards; this matrix keeps full tier-by-tier detail.
Product Evolution
Stella Ops Suite is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.
- Release orchestration — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- Security decisioning as a gate — Scan on build, evaluate on release, re-evaluate on CVE updates
- OCI-digest-first releases — Immutable digest-based release identity
- Evidence packets — Every release decision is cryptographically signed and stored
Pricing Model
Principle: Pay for scale, not for features or automation. No per-seat, per-project, or per-deployment taxes.
| Plan | Price | Environments | New Digests/Day | Deployments | Notes |
|---|---|---|---|---|---|
| Free | $0/month | 3 | 333 | Unlimited (fair use) | Full features |
| Pro | $699/month | 33 | 3,333 | Unlimited (fair use) | Same features |
| Enterprise | $1,999/month | Unlimited | Unlimited | Unlimited | Fair use on mirroring/audit bandwidth |
Key Principles:
- All plans include all features (no feature gating)
- Limits are environments + new digests analyzed per day
- Unlimited deployments with fair use policy
Competitive Moat Features
These differentiators are available across all plans.
| Capability | Free | Pro | Enterprise | Notes |
|---|---|---|---|---|
| Signed Replayable Risk Verdicts | ✅ | ✅ | ✅ | Core differentiator |
| Decision Capsules | ✅ | ✅ | ✅ | Audit-grade evidence bundles |
| VEX Decisioning Engine | ✅ | ✅ | ✅ | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | ✅ | ✅ | ✅ | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | ✅ | ✅ | ✅ | Material change detection |
| Unknowns as First-Class State | ✅ | ✅ | ✅ | Uncertainty budgets |
| Deterministic Replay | ✅ | ✅ | ✅ | stella replay srm.yaml |
| Non-Kubernetes First-Class | ✅ | ✅ | ✅ | Docker/Compose/ECS/Nomad targets |
| Digest-First Release Identity | ✅ | ✅ | ✅ | Immutable releases |
Release Orchestration (Planned)
Release orchestration capabilities are planned for implementation. All plans will include all features.
| Capability | Free | Pro | Enterprise | Notes |
|---|---|---|---|---|
| Environment Management | ||||
| Environment CRUD | ⏳ | ⏳ | ⏳ | Dev/Stage/Prod definitions |
| Freeze Windows | ⏳ | ⏳ | ⏳ | Calendar-based blocking |
| Approval Policies | ⏳ | ⏳ | ⏳ | Per-environment rules |
| Release Management | ||||
| Component Registry | ⏳ | ⏳ | ⏳ | Service → repository mapping |
| Release Bundles | ⏳ | ⏳ | ⏳ | Component → digest bundles |
| Semantic Versioning | ⏳ | ⏳ | ⏳ | SemVer release versions |
| Tag → Digest Resolution | ⏳ | ⏳ | ⏳ | Immutable digest pinning |
| Promotion & Gates | ||||
| Promotion Workflows | ⏳ | ⏳ | ⏳ | Environment transitions |
| Security Gate | ⏳ | ⏳ | ⏳ | Scan verdict evaluation |
| Approval Gate | ⏳ | ⏳ | ⏳ | Human sign-off |
| Freeze Window Gate | ⏳ | ⏳ | ⏳ | Calendar enforcement |
| Policy Gate (OPA/Rego) | ⏳ | ⏳ | ⏳ | Custom rules |
| Decision Records | ⏳ | ⏳ | ⏳ | Evidence-linked decisions |
| Deployment Execution | ||||
| Docker Host Agent | ⏳ | ⏳ | ⏳ | Direct container deployment |
| Compose Host Agent | ⏳ | ⏳ | ⏳ | Docker Compose deployment |
| SSH Agentless | ⏳ | ⏳ | ⏳ | Linux remote execution |
| WinRM Agentless | ⏳ | ⏳ | ⏳ | Windows remote execution |
| ECS Agent | ⏳ | ⏳ | ⏳ | AWS ECS deployment |
| Nomad Agent | ⏳ | ⏳ | ⏳ | HashiCorp Nomad deployment |
| Rollback | ⏳ | ⏳ | ⏳ | Previous version restore |
| Progressive Delivery | ||||
| A/B Releases | ⏳ | ⏳ | ⏳ | Traffic splitting |
| Canary Deployments | ⏳ | ⏳ | ⏳ | Gradual rollout |
| Blue-Green | ⏳ | ⏳ | ⏳ | Zero-downtime switch |
| Traffic Routing Plugins | ⏳ | ⏳ | ⏳ | Nginx/HAProxy/Traefik/ALB |
| Workflow Engine | ||||
| DAG Workflow Execution | ⏳ | ⏳ | ⏳ | Directed acyclic graphs |
| Step Registry | ⏳ | ⏳ | ⏳ | Built-in + custom steps |
| Workflow Templates | ⏳ | ⏳ | ⏳ | Reusable workflows |
| Script Steps (Bash/C#) | ⏳ | ⏳ | ⏳ | Custom automation |
| Evidence & Audit | ||||
| Evidence Packets | ⏳ | ⏳ | ⏳ | Sealed decision bundles |
| Version Stickers | ⏳ | ⏳ | ⏳ | On-target deployment records |
| Audit Export | ⏳ | ⏳ | ⏳ | Compliance reporting |
| Integrations | ||||
| GitHub Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| GitLab Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| Harbor Integration | ⏳ | ⏳ | ⏳ | Registry + scanning |
| HashiCorp Vault | ⏳ | ⏳ | ⏳ | Secrets management |
| AWS Secrets Manager | ⏳ | ⏳ | ⏳ | Secrets management |
| Plugin System | ||||
| Plugin Manifest | ⏳ | ⏳ | ⏳ | Static declarations |
| Connector Runtime | ⏳ | ⏳ | ⏳ | Dynamic execution |
| Step Providers | ⏳ | ⏳ | ⏳ | Custom workflow steps |
| Agent Types | ⏳ | ⏳ | ⏳ | Custom deployment targets |
Plan Limits
| Limit | Free | Pro | Enterprise |
|---|---|---|---|
| Environments | 3 | 33 | Unlimited |
| New Digests/Day | 333 | 3,333 | Unlimited |
| Deployments | Fair use | Fair use | Fair use |
| Targets per Environment | 10 | 100 | Unlimited |
| Agents | 3 | 33 | Unlimited |
| Integrations | 5 | 50 | Unlimited |
SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Trivy-JSON Ingestion | ✅ | ✅ | ✅ | |
| SPDX-JSON 3.0.1 Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX 1.7 Ingestion (1.6 backward compatible) | ✅ | ✅ | ✅ | |
| Auto-format Detection | ✅ | ✅ | ✅ | |
| Delta-SBOM Cache | ✅ | ✅ | ✅ | Warm scans <1s |
| SBOM Generation (all formats) | ✅ | ✅ | ✅ | |
| Semantic SBOM Diff | ✅ | ✅ | ✅ | |
| BYOS (Bring-Your-Own-SBOM) | ✅ | ✅ | ✅ | |
| SBOM Lineage Ledger | — | — | ✅ | Full versioned history |
| SBOM Lineage API | — | — | ✅ | Traversal queries |
Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| CVE Lookup via Local DB | ✅ | ✅ | ✅ | |
| Licence-Risk Detection | ⏳ | ⏳ | ⏳ | Q4-2025 |
| Automatic Detection (Class A) | Runs implicitly during scan | |||
| — Secrets Detection | ✅ | ✅ | ✅ | API keys, tokens, passwords; results in findings (see docs/modules/ui/components/findings-list.md) |
| — OS Package Analyzers | ✅ | ✅ | ✅ | apk, apt, yum, dnf, rpm, pacman; results in SBOM (see docs/modules/cli/guides/commands/sbom.md) |
| Language Analyzers (All 11) | ||||
| — .NET/C#, Java, Go, Python | ✅ | ✅ | ✅ | |
| — Node.js, Ruby, Bun, Deno | ✅ | ✅ | ✅ | |
| — PHP, Rust, Native binaries | ✅ | ✅ | ✅ | |
| Progressive Fidelity Modes | ||||
| — Quick Mode | ✅ | ✅ | ✅ | |
| — Standard Mode | ✅ | ✅ | ✅ | |
| — Deep Mode | — | ✅ | ✅ | Full analysis |
| Base Image Detection | ✅ | ✅ | ✅ | |
| Layer-Aware Analysis | ✅ | ✅ | ✅ | |
| Concurrent Scan Workers | 1 | 3 | Unlimited |
Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Static Call Graph | ✅ | ✅ | ✅ | |
| Entrypoint Detection | ✅ | ✅ | ✅ | 9+ framework types |
| BFS Reachability | ✅ | ✅ | ✅ | |
| Reachability Drift Detection | ✅ | ✅ | ✅ | |
| Binary Loader Resolution | — | ✅ | ✅ | ELF/PE/Mach-O |
| Feature Flag/Config Gating | — | ✅ | ✅ | Layer 3 analysis |
| Runtime Signal Correlation | — | — | ✅ | Zastava integration |
| Gate Detection (auth/admin) | — | — | ✅ | Enterprise policies |
| Path Witness Generation | — | — | ✅ | Audit evidence |
| Reachability Mini-Map API | — | — | ✅ | UI visualization |
| Runtime Timeline API | — | — | ✅ | Temporal analysis |
Binary Analysis (BinaryIndex)
Binary analysis capabilities are CLI-first (Class B). UI integration is minimal until user demand validates.
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Binary Identity Extraction | ✅ | ✅ | ✅ | Build-ID, hashes |
| Build-ID Vulnerability Lookup | ✅ | ✅ | ✅ | |
| Debian/Ubuntu Corpus | ✅ | ✅ | ✅ | |
| RPM/RHEL Corpus | — | ✅ | ✅ | |
| Patch-Aware Backport Detection | — | ✅ | ✅ | |
| PE/Mach-O/ELF Parsers | — | ✅ | ✅ | |
| Binary Fingerprint Generation | — | — | ✅ | CLI: stella binary fingerprint export |
| Fingerprint Matching Engine | — | — | ✅ | Similarity search |
| Binary Diff | — | — | ✅ | CLI: stella binary diff <base> <candidate> |
| DWARF/Symbol Analysis | — | — | ✅ | Debug symbols |
CLI Commands (Class B):
stella binary fingerprint export <artifact>— Export fingerprint data (function hashes, section hashes, symbol table)stella binary diff <base> <candidate>— Compare binaries with function/symbol-level diff- Output formats:
--format json|yaml|table - Usage and examples: docs/modules/cli/guides/commands/binary.md
Advisory Sources (Concelier)
Concelier provides 33+ vulnerability feed connectors with automatic sync, health monitoring, and conflict detection.
| Source Category | Connectors | Free | Community | Enterprise | Notes |
|---|---|---|---|---|---|
| National CVE Databases | |||||
| — NVD (NIST) | ✅ | ✅ | ✅ | ✅ | Primary CVE source |
| — CVE (MITRE) | ✅ | ✅ | ✅ | ✅ | CVE Record format 5.0 |
| OSS Ecosystems | |||||
| — OSV | ✅ | ✅ | ✅ | ✅ | Multi-ecosystem |
| — GHSA | ✅ | ✅ | ✅ | ✅ | GitHub Security Advisories |
| Linux Distributions | |||||
| — Alpine SecDB | ✅ | ✅ | ✅ | ✅ | |
| — Debian Security Tracker | ✅ | ✅ | ✅ | ✅ | |
| — Ubuntu USN | ✅ | ✅ | ✅ | ✅ | |
| — RHEL/CentOS OVAL | — | ✅ | ✅ | ✅ | |
| — SUSE OVAL | — | ✅ | ✅ | ✅ | |
| — Astra Linux | — | — | ✅ | ✅ | Russian distro |
| CERTs / National CSIRTs | |||||
| — CISA KEV | ✅ | ✅ | ✅ | ✅ | Known Exploited Vulns |
| — CISA ICS-CERT | — | ✅ | ✅ | ✅ | Industrial control systems |
| — CERT-CC | — | ✅ | ✅ | ✅ | Carnegie Mellon |
| — CERT-FR | — | ✅ | ✅ | ✅ | France |
| — CERT-Bund (BSI) | — | ✅ | ✅ | ✅ | Germany |
| — CERT-In | — | ✅ | ✅ | ✅ | India |
| — ACSC | — | ✅ | ✅ | ✅ | Australia |
| — CCCS | — | ✅ | ✅ | ✅ | Canada |
| — KISA | — | ✅ | ✅ | ✅ | South Korea |
| — JVN | — | ✅ | ✅ | ✅ | Japan |
| Russian Federation Sources | |||||
| — FSTEC BDU | — | — | ✅ | ✅ | Russian vuln database |
| — NKCKI | — | — | ✅ | ✅ | Critical infrastructure |
| Vendor PSIRTs | |||||
| — Microsoft MSRC | — | ✅ | ✅ | ✅ | |
| — Cisco PSIRT | — | ✅ | ✅ | ✅ | |
| — Oracle CPU | — | ✅ | ✅ | ✅ | |
| — VMware | — | ✅ | ✅ | ✅ | |
| — Adobe PSIRT | — | ✅ | ✅ | ✅ | |
| — Apple Security | — | ✅ | ✅ | ✅ | |
| — Chromium | — | ✅ | ✅ | ✅ | |
| ICS/SCADA | |||||
| — Kaspersky ICS-CERT | — | — | ✅ | ✅ | Industrial security |
| Risk Scoring | |||||
| — EPSS v4 | ✅ | ✅ | ✅ | ✅ | Exploit prediction |
| Enterprise Features | |||||
| Custom Advisory Connectors | — | — | — | ✅ | Private feeds |
| Advisory Merge Engine | — | — | — | ✅ | Conflict resolution |
| Connector Health CLI | ✅ | ✅ | ✅ | ✅ | stella db connectors status |
Connector Operations Matrix (Status/Auth/Runbooks):
VEX Processing (Excititor/VexLens)
VEX processing provides a full consensus engine with 5-state lattice, 9 trust factors, and conflict detection.
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| OpenVEX Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX VEX Ingestion | ✅ | ✅ | ✅ | |
| CSAF VEX Ingestion | — | ✅ | ✅ | |
| VEX Consensus Engine (5-state) | ✅ | ✅ | ✅ | Lattice-based resolution |
| Trust Vector Scoring (P/C/R) | ✅ | ✅ | ✅ | |
| Trust Weight Scoring (9 factors) | ✅ | ✅ | ✅ | Issuer, age, specificity, etc. |
| Claim Strength Multipliers | ✅ | ✅ | ✅ | |
| Freshness Decay | ✅ | ✅ | ✅ | 14-day half-life |
| Conflict Detection & Penalty | ✅ | ✅ | ✅ | K4 lattice logic |
| VEX Conflict Studio UI | ✅ | ✅ | ✅ | Visual resolution |
| VEX Hub (Distribution) | ✅ | ✅ | ✅ | Internal VEX network |
| VEX Webhook Distribution | — | ✅ | ✅ | Pub/sub notifications |
| CSAF Provider Connectors (7) | — | ✅ | ✅ | RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware |
| Issuer Trust Registry | — | ✅ | ✅ | Key lifecycle, trust overrides |
| VEX from Drift Generation | — | ✅ | ✅ | stella vex gen --from-drift |
| Trust Calibration Service | — | — | ✅ | Org-specific tuning |
| Consensus Rationale Export | — | — | ✅ | Audit-grade explainability |
CLI Commands:
stella vex verify <statement>— Verify VEX statement signature and contentstella vex consensus <digest>— Show consensus status for digeststella vex evidence export— Export VEX evidence for auditstella vex webhooks list/add/remove— Manage VEX distributionstella issuer keys list/create/rotate/revoke— Issuer key management
Policy Engine
Policy engine implements Belnap K4 four-valued logic with 10+ gate types and 6 risk providers.
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| YAML Policy Rules | ✅ | ✅ | ✅ | Basic rules |
| Belnap K4 Four-Valued Logic | ✅ | ✅ | ✅ | True/False/Both/Neither |
| Security Atoms (6 types) | ✅ | ✅ | ✅ | |
| Disposition Selection (ECMA-424) | ✅ | ✅ | ✅ | |
| Minimum Confidence Gate | ✅ | ✅ | ✅ | |
| 10+ Policy Gate Types | ✅ | ✅ | ✅ | Severity, reachability, age, etc. |
| 6 Risk Score Providers | ✅ | ✅ | ✅ | CVSS, KEV, EPSS, FixChain, etc. |
| Unknowns Budget Gate | — | ✅ | ✅ | |
| Determinization System | — | ✅ | ✅ | Signal weights, decay, uncertainty |
| Policy Simulation | — | ✅ | ✅ | stella policy simulate |
| Source Quota Gate | — | — | ✅ | 60% cap enforcement |
| Reachability Requirement Gate | — | — | ✅ | For criticals |
| OPA/Rego Integration | — | — | ✅ | Custom policies |
| Exception Objects & Workflow | — | — | ✅ | Approval chains |
| Score Policy YAML | — | — | ✅ | Full customization |
| Configurable Scoring Profiles | — | — | ✅ | Simple/Advanced |
| Policy Version History | — | — | ✅ | Audit trail |
| Verdict Attestations | — | — | ✅ | DSSE/Rekor signed verdicts |
CLI Commands:
stella policy list/show/create/update/delete— Policy CRUDstella policy simulate <digest>— Simulate policy evaluationstella policy validate <file>— Validate policy YAMLstella policy decisions list/show— View policy decisionsstella policy gates list— List available gate types
Attestation & Signing
Attestation supports 25+ predicate types with keyless signing, key rotation, and attestation chains.
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| DSSE Envelope Signing | ✅ | ✅ | ✅ | |
| in-toto Statement Structure | ✅ | ✅ | ✅ | |
| 25+ Predicate Types | ✅ | ✅ | ✅ | SBOM, VEX, verdict, etc. |
| SBOM Predicate | ✅ | ✅ | ✅ | |
| VEX Predicate | ✅ | ✅ | ✅ | |
| Reachability Predicate | — | ✅ | ✅ | |
| Policy Decision Predicate | — | ✅ | ✅ | |
| Verdict Manifest (signed) | — | ✅ | ✅ | |
| Verdict Replay Verification | — | ✅ | ✅ | |
| Keyless Signing (Sigstore) | — | ✅ | ✅ | Fulcio-based OIDC |
| Delta Attestations (4 types) | — | ✅ | ✅ | VEX/SBOM/Verdict/Reachability |
| Attestation Chains | — | ✅ | ✅ | Linked attestation graphs |
| Human Approval Predicate | — | — | ✅ | Workflow attestation |
| Boundary Predicate | — | — | ✅ | Network exposure |
| Key Rotation Service | — | — | ✅ | Automated key lifecycle |
| Trust Anchor Management | — | — | ✅ | Root CA management |
| SLSA Provenance v1.0 | — | — | ✅ | Supply chain |
| Rekor Transparency Log | — | — | ✅ | Public attestation |
| Cosign Integration | — | — | ✅ | Sigstore ecosystem |
CLI Commands:
stella attest sign <file>— Sign attestationstella attest verify <envelope>— Verify attestation signaturestella attest predicates list— List supported predicate typesstella attest export <digest>— Export attestations for digeststella keys list/create/rotate/revoke— Key management
Regional Crypto (Sovereign Profiles)
Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance. 8 signature profiles supported.
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Default Crypto (Ed25519) | ✅ | ✅ | ✅ | |
| FIPS 140-2/3 Mode | ✅ | ✅ | ✅ | US Federal |
| eIDAS Signatures | ✅ | ✅ | ✅ | EU Compliance |
| GOST/CryptoPro | ✅ | ✅ | ✅ | Russia |
| SM National Standard | ✅ | ✅ | ✅ | China |
| Post-Quantum (Dilithium) | ✅ | ✅ | ✅ | Future-proof |
| Crypto Plugin Architecture | ✅ | ✅ | ✅ | Custom HSM |
| Multi-Profile Signing | — | ✅ | ✅ | Sign with multiple algorithms |
| SM Remote Service | — | — | ✅ | Chinese market HSM integration |
| HSM/PKCS#11 Integration | — | — | ✅ | Hardware security modules |
CLI Commands:
stella crypto profiles list— List available crypto profilesstella crypto verify --profile <name>— Verify with specific profilestella crypto plugins list/status— Manage crypto plugins
Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Canonical JSON Serialization | ✅ | ✅ | ✅ | |
| Content-Addressed IDs | ✅ | ✅ | ✅ | SHA-256 |
| Replay Manifest (SRM) | ✅ | ✅ | ✅ | |
stella replay CLI |
✅ | ✅ | ✅ | |
| Score Explanation Arrays | ✅ | ✅ | ✅ | |
| Evidence Freshness Multipliers | — | ✅ | ✅ | |
| Proof Coverage Metrics | — | ✅ | ✅ | |
| Fidelity Metrics (BF/SF/PF) | — | — | ✅ | Audit dashboards |
| FN-Drift Rate Tracking | — | — | ✅ | Quality monitoring |
| Determinism Gate CI | — | — | ✅ | Automated checks |
Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| CVSS v4.0 Display | ✅ | ✅ | ✅ | |
| EPSS v4 Probability | ✅ | ✅ | ✅ | |
| Priority Band Classification | ✅ | ✅ | ✅ | |
| EPSS-at-Scan Immutability | — | ✅ | ✅ | |
| Unified Confidence Model | — | ✅ | ✅ | 5-factor |
| Entropy-Based Scoring | — | — | ✅ | Advanced |
| Gate Multipliers | — | — | ✅ | Reachability-aware |
| Unknowns Pressure Factor | — | — | ✅ | Risk budgets |
| Custom Scoring Profiles | — | — | ✅ | Org-specific |
Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Findings List | ✅ | ✅ | ✅ | |
| Evidence Graph View | ✅ | ✅ | ✅ | Basic |
| Decision Capsules | ✅ | ✅ | ✅ | |
| Findings Ledger (Immutable) | — | — | ✅ | Audit trail |
| Evidence Locker (Sealed) | — | — | ✅ | Export/import |
| Evidence TTL Policies | — | — | ✅ | Retention rules |
| Evidence Size Budgets | — | — | ✅ | Storage governance |
| Retention Tiers | — | — | ✅ | Hot/Warm/Cold |
| Privacy Controls | — | — | ✅ | Redaction |
| Audit Pack Export | — | — | ✅ | Compliance bundles |
CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Scanner Commands | ✅ | ✅ | ✅ | |
| SBOM Inspect & Diff | ✅ | ✅ | ✅ | |
| Deterministic Replay | ✅ | ✅ | ✅ | |
| Attestation Verify | — | ✅ | ✅ | |
| Unknowns Budget Check | — | ✅ | ✅ | |
| Evidence Export | — | ✅ | ✅ | |
| Audit Pack Operations | — | — | ✅ | Full workflow |
| Binary Match Inspection | — | — | ✅ | Advanced |
| Crypto Plugin Commands | — | — | ✅ | Regional crypto |
| Admin Utilities | — | — | ✅ | Ops tooling |
Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Dark/Light Mode | ✅ | ✅ | ✅ | |
| Findings Row Component | ✅ | ✅ | ✅ | |
| Evidence Drawer | ✅ | ✅ | ✅ | |
| Proof Tab | ✅ | ✅ | ✅ | |
| Confidence Meter | ✅ | ✅ | ✅ | |
| Locale Support | — | ✅ | ✅ | Cyrillic, etc. |
| Reproduce Verdict Button | — | ✅ | ✅ | |
| Audit Trail UI | — | — | ✅ | Full history |
| Trust Algebra Panel | — | — | ✅ | P/C/R visualization |
| Claim Comparison Table | — | — | ✅ | Conflict view |
| Policy Chips Display | — | — | ✅ | Gate status |
| Reachability Mini-Map | — | — | ✅ | Path visualization |
| Runtime Timeline | — | — | ✅ | Temporal view |
| Operator/Auditor Toggle | — | — | ✅ | Role separation |
| Knowledge Snapshot UI | — | — | ✅ | Air-gap prep |
| Keyboard Shortcuts | — | — | ✅ | Power users |
Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Scans per Day | 33 | 333 | 2,000+ | Soft limit |
Usage API (/quota) |
✅ | ✅ | ✅ | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | ✅ | ✅ | ✅ | |
| 429 Backpressure | ✅ | ✅ | ✅ | |
| Retry-After Headers | ✅ | ✅ | ✅ | |
| Priority Queue | — | — | ✅ | Guaranteed capacity |
| Burst Allowance | — | — | ✅ | 3× daily for 1hr |
| Custom Quotas | — | — | ✅ | Per contract |
Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Offline Update Kits (OUK) | — | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | — | ✅ | ✅ | |
| One-Command Replay | — | ✅ | ✅ | |
| Sealed Knowledge Snapshots | — | — | ✅ | Full feed export |
| Air-Gap Bundle Manifest | — | — | ✅ | Transfer packages |
| No-Egress Enforcement | — | — | ✅ | Strict isolation |
| Offline JWT (90d) | — | — | ✅ | Extended tokens |
Deployment
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Docker Compose | ✅ | ✅ | ✅ | Single-node |
| Helm Chart (K8s) | — | ✅ | ✅ | |
| PostgreSQL 16+ | ✅ | ✅ | ✅ | |
| Valkey 8.0+ | ✅ | ✅ | ✅ | |
| RustFS (S3) | — | ✅ | ✅ | |
| High-Availability | — | — | ✅ | Multi-replica |
| Horizontal Scaling | — | — | ✅ | Auto-scale |
| Dedicated Capacity | — | — | ✅ | Reserved resources |
Access Control & Identity (Authority)
Authority provides OAuth 2.1/OIDC with 75+ authorization scopes, DPoP, and device authorization.
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Basic Auth | ✅ | ✅ | ✅ | |
| API Keys | ✅ | ✅ | ✅ | With scopes and expiration |
| SSO/SAML Integration | ✅ | ✅ | ✅ | Okta, Azure AD |
| OIDC Support | ✅ | ✅ | ✅ | |
| Basic RBAC | ✅ | ✅ | ✅ | User/Admin |
| 75+ Authorization Scopes | ✅ | ✅ | ✅ | Fine-grained permissions |
| DPoP (Sender Constraints) | — | ✅ | ✅ | Token binding |
| mTLS Client Certificates | — | ✅ | ✅ | Certificate auth |
| Device Authorization Flow | — | ✅ | ✅ | CLI/IoT devices |
| PAR Support | — | ✅ | ✅ | Pushed Authorization Requests |
| User Federation (LDAP/SAML) | — | — | ✅ | Directory integration |
| Multi-Factor Authentication | — | — | ✅ | TOTP/WebAuthn |
| Advanced RBAC | — | — | ✅ | Team-based scopes |
| Multi-Tenant Management | — | — | ✅ | Org hierarchy |
| Audit Log Export | — | — | ✅ | SIEM integration |
CLI Commands:
stella auth clients list/create/delete— OAuth client managementstella auth roles list/show/assign— Role managementstella auth scopes list— List available scopesstella auth token introspect <token>— Token introspectionstella auth api-keys list/create/revoke— API key management
Notifications & Integrations
10 notification channel types with template engine, routing rules, and escalation.
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| In-App Notifications | ✅ | ✅ | ✅ | |
| Email Notifications | — | ✅ | ✅ | |
| EPSS Change Alerts | — | ✅ | ✅ | |
| Slack Integration | ✅ | ✅ | ✅ | Basic |
| Teams Integration | ✅ | ✅ | ✅ | Basic |
| Discord Integration | — | ✅ | ✅ | Webhook-based |
| PagerDuty Integration | — | ✅ | ✅ | Incident management |
| OpsGenie Integration | — | ✅ | ✅ | Alert routing |
| Zastava Registry Hooks | ✅ | ✅ | ✅ | Auto-scan on push |
| Zastava K8s Admission | — | ✅ | ✅ | Validating/Mutating webhooks |
| Template Engine | — | — | ✅ | Customizable templates |
| Channel Routing Rules | — | — | ✅ | Severity/team routing |
| Escalation Policies | — | — | ✅ | Time-based escalation |
| Notification Studio UI | — | — | ✅ | Visual rule builder |
| Custom Webhooks | — | — | ✅ | Any endpoint |
| CI/CD Gates | — | — | ✅ | GitLab/GitHub/Jenkins |
| SCM Integrations | — | — | ✅ | PR comments, status checks |
| Issue Tracker Integration | — | — | ✅ | Jira, GitHub Issues |
| Enterprise Connectors | — | — | ✅ | Grid/Premium APIs |
CLI Commands:
stella notify channels list/test— Channel managementstella notify rules list/create— Routing rulesstella zastava install/configure/status— K8s webhook management
Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Manual Scans | ✅ | ✅ | ✅ | |
| Scheduled Scans | — | — | ✅ | Cron-based |
| Task Pack Orchestration | — | — | ✅ | Declarative workflows |
| EPSS Daily Refresh | — | — | ✅ | Auto-update |
| Event-Driven Scanning | — | — | ✅ | On registry push |
Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Basic Metrics | ✅ | ✅ | ✅ | |
| Opt-In Telemetry | ✅ | ✅ | ✅ | |
| OpenTelemetry Traces | — | — | ✅ | Full tracing |
| Prometheus Export | — | — | ✅ | Custom dashboards |
| Quality KPIs Dashboard | — | — | ✅ | Triage metrics |
| SLA Monitoring | — | — | ✅ | Uptime tracking |
Support & Services
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| Documentation | ✅ | ✅ | ✅ | |
| Community Forums | ✅ | ✅ | ✅ | |
| GitHub Issues | ✅ | ✅ | ✅ | |
| Email Support | — | — | ✅ | Business hours |
| Priority Support | — | — | ✅ | 4hr response |
| 24/7 Critical Support | — | — | ✅ | Add-on |
| Dedicated CSM | — | — | ✅ | Named contact |
| Professional Services | — | — | ✅ | Implementation |
| Training & Certification | — | — | ✅ | Team enablement |
| SLA Guarantee | — | — | ✅ | 99.9% uptime |
Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|---|---|---|---|---|
| RPM (NEVRA) | ✅ | ✅ | ✅ | |
| Debian (EVR) | ✅ | ✅ | ✅ | |
| Alpine (APK) | ✅ | ✅ | ✅ | |
| SemVer | ✅ | ✅ | ✅ | |
| PURL Resolution | ✅ | ✅ | ✅ |
Summary by Tier
Free Tier (33 scans/day)
Target: Individual developers, OSS contributors, evaluation
- All language analyzers (11 languages)
- All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
- Full VEX processing + VEX Hub + Conflict Studio
- SSO/SAML/OIDC authentication
- Zastava registry webhooks
- Slack/Teams notifications
- Core determinism + replay
- Docker Compose deployment
- Community support
Community Tier (333 scans/day)
Target: Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis (backport detection)
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications + EPSS alerts
- Monthly Offline Update Kit access
Registration required, 30-day token renewal
Enterprise Tier (2,000+ scans/day)
Target: Organizations 25+, compliance-driven, multi-team
Everything in Community, plus:
- Scale: HA, horizontal scaling, priority queue, burst allowance
- Multi-Team: Advanced RBAC (scopes), multi-tenant, org hierarchy
- Advanced Detection: Binary fingerprints, trust calibration
- Compliance: SLSA provenance, Rekor transparency, audit pack export
- Air-Gap: Sealed snapshots, 90-day offline tokens, no-egress mode
- Automation: CI/CD gates, custom webhooks, scheduled scans
- Observability: OpenTelemetry, Prometheus, KPI dashboards
- Support: SLA (99.9%), priority support (4hr), dedicated CSM
Legend: ✅ = Included | — = Not available | ⏳ = Planned
Last updated: 16 Jan 2026 (rev 5.1 - Documentation Sprint 024)