stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a927d924e318b8251159d3159ea33983fedba0be
git.stella-ops.org/docs/FEATURE_MATRIX.md

559 lines
23 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Feature Matrix — Stella Ops Suite
*(rev 5.0 · 09 Jan 2026)*
> **Looking for a quick read?** Check [`key-features.md`](key-features.md) for the short capability cards; this matrix keeps full tier-by-tier detail.
---
## Product Evolution
**Stella Ops Suite** is now a centralized, auditable release control plane for non-Kubernetes container estates. The platform combines release orchestration with security decisioning as a gate.
- **Release orchestration** — UI-driven promotion (Dev → Stage → Prod), approvals, policy gates, rollbacks
- **Security decisioning as a gate** — Scan on build, evaluate on release, re-evaluate on CVE updates
- **OCI-digest-first releases** — Immutable digest-based release identity
- **Evidence packets** — Every release decision is cryptographically signed and stored
---
## Pricing Model
**Principle:** Pay for scale, not for features or automation. No per-seat, per-project, or per-deployment taxes.
| Plan | Price | Environments | New Digests/Day | Deployments | Notes |
|------|-------|--------------|-----------------|-------------|-------|
| **Free** | $0/month | 3 | 333 | Unlimited (fair use) | Full features |
| **Pro** | $699/month | 33 | 3,333 | Unlimited (fair use) | Same features |
| **Enterprise** | $1,999/month | Unlimited | Unlimited | Unlimited | Fair use on mirroring/audit bandwidth |
**Key Principles:**
- All plans include all features (no feature gating)
- Limits are environments + new digests analyzed per day
- Unlimited deployments with fair use policy
---
## Competitive Moat Features
*These differentiators are available across all plans.*
| Capability | Free | Pro | Enterprise | Notes |
|------------|:----:|:---:|:----------:|-------|
| Signed Replayable Risk Verdicts | ✅ | ✅ | ✅ | Core differentiator |
| Decision Capsules | ✅ | ✅ | ✅ | Audit-grade evidence bundles |
| VEX Decisioning Engine | ✅ | ✅ | ✅ | Trust lattice + conflict resolution |
| Reachability with Portable Proofs | ✅ | ✅ | ✅ | Three-layer analysis |
| Smart-Diff (Semantic Risk Delta) | ✅ | ✅ | ✅ | Material change detection |
| Unknowns as First-Class State | ✅ | ✅ | ✅ | Uncertainty budgets |
| Deterministic Replay | ✅ | ✅ | ✅ | `stella replay srm.yaml` |
| Non-Kubernetes First-Class | ✅ | ✅ | ✅ | Docker/Compose/ECS/Nomad targets |
| Digest-First Release Identity | ✅ | ✅ | ✅ | Immutable releases |
---
## Release Orchestration (Planned)
*Release orchestration capabilities are planned for implementation. All plans will include all features.*
| Capability | Free | Pro | Enterprise | Notes |
|------------|:----:|:---:|:----------:|-------|
| **Environment Management** | | | | |
| Environment CRUD | ⏳ | ⏳ | ⏳ | Dev/Stage/Prod definitions |
| Freeze Windows | ⏳ | ⏳ | ⏳ | Calendar-based blocking |
| Approval Policies | ⏳ | ⏳ | ⏳ | Per-environment rules |
| **Release Management** | | | | |
| Component Registry | ⏳ | ⏳ | ⏳ | Service → repository mapping |
| Release Bundles | ⏳ | ⏳ | ⏳ | Component → digest bundles |
| Semantic Versioning | ⏳ | ⏳ | ⏳ | SemVer release versions |
| Tag → Digest Resolution | ⏳ | ⏳ | ⏳ | Immutable digest pinning |
| **Promotion & Gates** | | | | |
| Promotion Workflows | ⏳ | ⏳ | ⏳ | Environment transitions |
| Security Gate | ⏳ | ⏳ | ⏳ | Scan verdict evaluation |
| Approval Gate | ⏳ | ⏳ | ⏳ | Human sign-off |
| Freeze Window Gate | ⏳ | ⏳ | ⏳ | Calendar enforcement |
| Policy Gate (OPA/Rego) | ⏳ | ⏳ | ⏳ | Custom rules |
| Decision Records | ⏳ | ⏳ | ⏳ | Evidence-linked decisions |
| **Deployment Execution** | | | | |
| Docker Host Agent | ⏳ | ⏳ | ⏳ | Direct container deployment |
| Compose Host Agent | ⏳ | ⏳ | ⏳ | Docker Compose deployment |
| SSH Agentless | ⏳ | ⏳ | ⏳ | Linux remote execution |
| WinRM Agentless | ⏳ | ⏳ | ⏳ | Windows remote execution |
| ECS Agent | ⏳ | ⏳ | ⏳ | AWS ECS deployment |
| Nomad Agent | ⏳ | ⏳ | ⏳ | HashiCorp Nomad deployment |
| Rollback | ⏳ | ⏳ | ⏳ | Previous version restore |
| **Progressive Delivery** | | | | |
| A/B Releases | ⏳ | ⏳ | ⏳ | Traffic splitting |
| Canary Deployments | ⏳ | ⏳ | ⏳ | Gradual rollout |
| Blue-Green | ⏳ | ⏳ | ⏳ | Zero-downtime switch |
| Traffic Routing Plugins | ⏳ | ⏳ | ⏳ | Nginx/HAProxy/Traefik/ALB |
| **Workflow Engine** | | | | |
| DAG Workflow Execution | ⏳ | ⏳ | ⏳ | Directed acyclic graphs |
| Step Registry | ⏳ | ⏳ | ⏳ | Built-in + custom steps |
| Workflow Templates | ⏳ | ⏳ | ⏳ | Reusable workflows |
| Script Steps (Bash/C#) | ⏳ | ⏳ | ⏳ | Custom automation |
| **Evidence & Audit** | | | | |
| Evidence Packets | ⏳ | ⏳ | ⏳ | Sealed decision bundles |
| Version Stickers | ⏳ | ⏳ | ⏳ | On-target deployment records |
| Audit Export | ⏳ | ⏳ | ⏳ | Compliance reporting |
| **Integrations** | | | | |
| GitHub Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| GitLab Integration | ⏳ | ⏳ | ⏳ | SCM + webhooks |
| Harbor Integration | ⏳ | ⏳ | ⏳ | Registry + scanning |
| HashiCorp Vault | ⏳ | ⏳ | ⏳ | Secrets management |
| AWS Secrets Manager | ⏳ | ⏳ | ⏳ | Secrets management |
| **Plugin System** | | | | |
| Plugin Manifest | ⏳ | ⏳ | ⏳ | Static declarations |
| Connector Runtime | ⏳ | ⏳ | ⏳ | Dynamic execution |
| Step Providers | ⏳ | ⏳ | ⏳ | Custom workflow steps |
| Agent Types | ⏳ | ⏳ | ⏳ | Custom deployment targets |
---
## Plan Limits
| Limit | Free | Pro | Enterprise |
|-------|:----:|:---:|:----------:|
| **Environments** | 3 | 33 | Unlimited |
| **New Digests/Day** | 333 | 3,333 | Unlimited |
| **Deployments** | Fair use | Fair use | Fair use |
| **Targets per Environment** | 10 | 100 | Unlimited |
| **Agents** | 3 | 33 | Unlimited |
| **Integrations** | 5 | 50 | Unlimited |
---
## SBOM & Ingestion
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Trivy-JSON Ingestion | ✅ | ✅ | ✅ | |
| SPDX-JSON 3.0.1 Ingestion | ✅ | ✅ | ✅ | |
| CycloneDX 1.7 Ingestion (1.6 backward compatible) | ✅ | ✅ | ✅ | |
| Auto-format Detection | ✅ | ✅ | ✅ | |
| Delta-SBOM Cache | ✅ | ✅ | ✅ | Warm scans <1s |
| SBOM Generation (all formats) | | | | |
| Semantic SBOM Diff | | | | |
| BYOS (Bring-Your-Own-SBOM) | | | | |
| **SBOM Lineage Ledger** | | | | Full versioned history |
| **SBOM Lineage API** | | | | Traversal queries |
---
## Scanning & Detection
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVE Lookup via Local DB | | | | |
| Licence-Risk Detection | | | | Q4-2025 |
| **Language Analyzers (All 11)** | | | | |
| .NET/C#, Java, Go, Python | | | | |
| Node.js, Ruby, Bun, Deno | | | | |
| PHP, Rust, Native binaries | | | | |
| **Progressive Fidelity Modes** | | | | |
| Quick Mode | | | | |
| Standard Mode | | | | |
| Deep Mode | | | | Full analysis |
| Base Image Detection | | | | |
| Layer-Aware Analysis | | | | |
| **Concurrent Scan Workers** | 1 | 3 | Unlimited | |
---
## Reachability Analysis
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Static Call Graph | | | | |
| Entrypoint Detection | | | | 9+ framework types |
| BFS Reachability | | | | |
| Reachability Drift Detection | | | | |
| Binary Loader Resolution | | | | ELF/PE/Mach-O |
| Feature Flag/Config Gating | | | | Layer 3 analysis |
| Runtime Signal Correlation | | | | Zastava integration |
| Gate Detection (auth/admin) | | | | Enterprise policies |
| Path Witness Generation | | | | Audit evidence |
| Reachability Mini-Map API | | | | UI visualization |
| Runtime Timeline API | | | | Temporal analysis |
---
## Binary Analysis (BinaryIndex)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Binary Identity Extraction | | | | Build-ID, hashes |
| Build-ID Vulnerability Lookup | | | | |
| Debian/Ubuntu Corpus | | | | |
| RPM/RHEL Corpus | | | | |
| Patch-Aware Backport Detection | | | | |
| PE/Mach-O/ELF Parsers | | | | |
| **Binary Fingerprint Generation** | | | | Advanced detection |
| **Fingerprint Matching Engine** | | | | Similarity search |
| **DWARF/Symbol Analysis** | | | | Debug symbols |
---
## Advisory Sources (Concelier)
| Source | Free | Community | Enterprise | Notes |
|--------|:----:|:---------:|:----------:|-------|
| NVD | | | | |
| GHSA | | | | |
| OSV | | | | |
| Alpine SecDB | | | | |
| Debian Security Tracker | | | | |
| Ubuntu USN | | | | |
| RHEL/CentOS OVAL | | | | |
| KEV (Exploited Vulns) | | | | |
| EPSS v4 | | | | |
| **Custom Advisory Connectors** | | | | Private feeds |
| **Advisory Merge Engine** | | | | Conflict resolution |
---
## VEX Processing (Excititor)
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| OpenVEX Ingestion | | | | |
| CycloneDX VEX Ingestion | | | | |
| CSAF VEX Ingestion | | | | |
| VEX Consensus Resolver | | | | |
| Trust Vector Scoring (P/C/R) | | | | |
| Claim Strength Multipliers | | | | |
| Freshness Decay | | | | |
| Conflict Detection & Penalty | | | | K4 lattice logic |
| VEX Conflict Studio UI | | | | Visual resolution |
| VEX Hub (Distribution) | | | | Internal VEX network |
| **Trust Calibration Service** | | | | Org-specific tuning |
---
## Policy Engine
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| YAML Policy Rules | | | | Basic rules |
| Belnap K4 Four-Valued Logic | | | | |
| Security Atoms (6 types) | | | | |
| Disposition Selection (ECMA-424) | | | | |
| Minimum Confidence Gate | | | | |
| Unknowns Budget Gate | | | | |
| Source Quota Gate | | | | 60% cap enforcement |
| Reachability Requirement Gate | | | | For criticals |
| **OPA/Rego Integration** | | | | Custom policies |
| **Exception Objects & Workflow** | | | | Approval chains |
| **Score Policy YAML** | | | | Full customization |
| **Configurable Scoring Profiles** | | | | Simple/Advanced |
| **Policy Version History** | | | | Audit trail |
---
## Attestation & Signing
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| DSSE Envelope Signing | | | | |
| in-toto Statement Structure | | | | |
| SBOM Predicate | | | | |
| VEX Predicate | | | | |
| Reachability Predicate | | | | |
| Policy Decision Predicate | | | | |
| Verdict Manifest (signed) | | | | |
| Verdict Replay Verification | | | | |
| **Human Approval Predicate** | | | | Workflow attestation |
| **Boundary Predicate** | | | | Network exposure |
| **Key Rotation Management** | | | | Enterprise key ops |
| **SLSA Provenance v1.0** | | | | Supply chain |
| **Rekor Transparency Log** | | | | Public attestation |
| **Cosign Integration** | | | | Sigstore ecosystem |
---
## Regional Crypto (Sovereign Profiles)
*Sovereign crypto is core to the AGPL promise - no vendor lock-in on compliance.*
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Default Crypto (Ed25519) | | | | |
| FIPS 140-2/3 Mode | | | | US Federal |
| eIDAS Signatures | | | | EU Compliance |
| GOST/CryptoPro | | | | Russia |
| SM National Standard | | | | China |
| Post-Quantum (Dilithium) | | | | Future-proof |
| Crypto Plugin Architecture | | | | Custom HSM |
---
## Determinism & Reproducibility
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Canonical JSON Serialization | | | | |
| Content-Addressed IDs | | | | SHA-256 |
| Replay Manifest (SRM) | | | | |
| `stella replay` CLI | | | | |
| Score Explanation Arrays | | | | |
| Evidence Freshness Multipliers | | | | |
| Proof Coverage Metrics | | | | |
| **Fidelity Metrics (BF/SF/PF)** | | | | Audit dashboards |
| **FN-Drift Rate Tracking** | | | | Quality monitoring |
| **Determinism Gate CI** | | | | Automated checks |
---
## Scoring & Risk Assessment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| CVSS v4.0 Display | | | | |
| EPSS v4 Probability | | | | |
| Priority Band Classification | | | | |
| EPSS-at-Scan Immutability | | | | |
| Unified Confidence Model | | | | 5-factor |
| **Entropy-Based Scoring** | | | | Advanced |
| **Gate Multipliers** | | | | Reachability-aware |
| **Unknowns Pressure Factor** | | | | Risk budgets |
| **Custom Scoring Profiles** | | | | Org-specific |
---
## Evidence & Findings
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Findings List | | | | |
| Evidence Graph View | | | | Basic |
| Decision Capsules | | | | |
| **Findings Ledger (Immutable)** | | | | Audit trail |
| **Evidence Locker (Sealed)** | | | | Export/import |
| **Evidence TTL Policies** | | | | Retention rules |
| **Evidence Size Budgets** | | | | Storage governance |
| **Retention Tiers** | | | | Hot/Warm/Cold |
| **Privacy Controls** | | | | Redaction |
| **Audit Pack Export** | | | | Compliance bundles |
---
## CLI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Scanner Commands | | | | |
| SBOM Inspect & Diff | | | | |
| Deterministic Replay | | | | |
| Attestation Verify | | | | |
| Unknowns Budget Check | | | | |
| Evidence Export | | | | |
| **Audit Pack Operations** | | | | Full workflow |
| **Binary Match Inspection** | | | | Advanced |
| **Crypto Plugin Commands** | | | | Regional crypto |
| **Admin Utilities** | | | | Ops tooling |
---
## Web UI Capabilities
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Dark/Light Mode | | | | |
| Findings Row Component | | | | |
| Evidence Drawer | | | | |
| Proof Tab | | | | |
| Confidence Meter | | | | |
| Locale Support | | | | Cyrillic, etc. |
| Reproduce Verdict Button | | | | |
| **Audit Trail UI** | | | | Full history |
| **Trust Algebra Panel** | | | | P/C/R visualization |
| **Claim Comparison Table** | | | | Conflict view |
| **Policy Chips Display** | | | | Gate status |
| **Reachability Mini-Map** | | | | Path visualization |
| **Runtime Timeline** | | | | Temporal view |
| **Operator/Auditor Toggle** | | | | Role separation |
| **Knowledge Snapshot UI** | | | | Air-gap prep |
| **Keyboard Shortcuts** | | | | Power users |
---
## Quota & Operations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| **Scans per Day** | **33** | **333** | **2,000+** | Soft limit |
| Usage API (`/quota`) | | | | |
| Client-JWT (Online) | 12h | 30d | Annual | Token duration |
| Rate Limiting | | | | |
| 429 Backpressure | | | | |
| Retry-After Headers | | | | |
| **Priority Queue** | | | | Guaranteed capacity |
| **Burst Allowance** | | | | 3× daily for 1hr |
| **Custom Quotas** | | | | Per contract |
---
## Offline & Air-Gap
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Offline Update Kits (OUK) | | Monthly | Weekly | Feed freshness |
| Offline Signature Verify | | | | |
| One-Command Replay | | | | |
| **Sealed Knowledge Snapshots** | | | | Full feed export |
| **Air-Gap Bundle Manifest** | | | | Transfer packages |
| **No-Egress Enforcement** | | | | Strict isolation |
| **Offline JWT (90d)** | | | | Extended tokens |
---
## Deployment
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Docker Compose | | | | Single-node |
| Helm Chart (K8s) | | | | |
| PostgreSQL 16+ | | | | |
| Valkey 8.0+ | | | | |
| RustFS (S3) | | | | |
| **High-Availability** | | | | Multi-replica |
| **Horizontal Scaling** | | | | Auto-scale |
| **Dedicated Capacity** | | | | Reserved resources |
---
## Access Control & Identity
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Auth | | | | |
| API Keys | | | | |
| SSO/SAML Integration | | | | Okta, Azure AD |
| OIDC Support | | | | |
| Basic RBAC | | | | User/Admin |
| **Advanced RBAC** | | | | Team-based scopes |
| **Multi-Tenant Management** | | | | Org hierarchy |
| **Audit Log Export** | | | | SIEM integration |
---
## Notifications & Integrations
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Email Notifications | | | | |
| In-App Notifications | | | | |
| EPSS Change Alerts | | | | |
| Slack Integration | | | | Basic |
| Teams Integration | | | | Basic |
| Zastava Registry Hooks | | | | Auto-scan on push |
| **Custom Webhooks** | | | | Any endpoint |
| **CI/CD Gates** | | | | GitLab/GitHub/Jenkins |
| **Enterprise Connectors** | | | | Grid/Premium APIs |
---
## Scheduling & Automation
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Manual Scans | | | | |
| **Scheduled Scans** | | | | Cron-based |
| **Task Pack Orchestration** | | | | Declarative workflows |
| **EPSS Daily Refresh** | | | | Auto-update |
| **Event-Driven Scanning** | | | | On registry push |
---
## Observability & Telemetry
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Basic Metrics | | | | |
| Opt-In Telemetry | | | | |
| **OpenTelemetry Traces** | | | | Full tracing |
| **Prometheus Export** | | | | Custom dashboards |
| **Quality KPIs Dashboard** | | | | Triage metrics |
| **SLA Monitoring** | | | | Uptime tracking |
---
## Support & Services
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| Documentation | | | | |
| Community Forums | | | | |
| GitHub Issues | | | | |
| **Email Support** | | | | Business hours |
| **Priority Support** | | | | 4hr response |
| **24/7 Critical Support** | | | | Add-on |
| **Dedicated CSM** | | | | Named contact |
| **Professional Services** | | | | Implementation |
| **Training & Certification** | | | | Team enablement |
| **SLA Guarantee** | | | | 99.9% uptime |
---
## Version Comparison
| Capability | Free | Community | Enterprise | Notes |
|------------|:----:|:---------:|:----------:|-------|
| RPM (NEVRA) | | | | |
| Debian (EVR) | | | | |
| Alpine (APK) | | | | |
| SemVer | | | | |
| PURL Resolution | | | | |
---
## Summary by Tier
### Free Tier (33 scans/day)
**Target:** Individual developers, OSS contributors, evaluation
- All language analyzers (11 languages)
- All regional crypto (FIPS/eIDAS/GOST/SM/PQ)
- Full VEX processing + VEX Hub + Conflict Studio
- SSO/SAML/OIDC authentication
- Zastava registry webhooks
- Slack/Teams notifications
- Core determinism + replay
- Docker Compose deployment
- Community support
### Community Tier (333 scans/day)
**Target:** Startups, small teams (<25), active open source projects
Everything in Free, plus:
- 10× scan quota
- Deep analysis mode
- Binary analysis (backport detection)
- Advanced attestation predicates
- Helm/K8s deployment
- Email notifications + EPSS alerts
- Monthly Offline Update Kit access
**Registration required, 30-day token renewal**
### Enterprise Tier (2,000+ scans/day)
**Target:** Organizations 25+, compliance-driven, multi-team
Everything in Community, plus:
- **Scale**: HA, horizontal scaling, priority queue, burst allowance
- **Multi-Team**: Advanced RBAC (scopes), multi-tenant, org hierarchy
- **Advanced Detection**: Binary fingerprints, trust calibration
- **Compliance**: SLSA provenance, Rekor transparency, audit pack export
- **Air-Gap**: Sealed snapshots, 90-day offline tokens, no-egress mode
- **Automation**: CI/CD gates, custom webhooks, scheduled scans
- **Observability**: OpenTelemetry, Prometheus, KPI dashboards
- **Support**: SLA (99.9%), priority support (4hr), dedicated CSM
---
---
> **Legend:** ✅ = Included | — = Not available | ⏳ = Planned
---
*Last updated: 24 Dec 2025 (rev 4.0 - Tiered Commercial Model)*
Reference in New Issue View Git Blame Copy Permalink