Volt CLI: source-available under AGPSL v5.0

Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0

pkg/license/features.go

@@ -0,0 +1,208 @@
+/*
+Volt Platform — Feature Gating
+Tier-based feature definitions and access control infrastructure
+
+TWO-LICENSE MODEL (revised 2026-03-20):
+  ALL source code is AGPSL v5 (source-available). NOTHING is open source.
+  Proprietary components are closed-source separate binaries.
+
+Licensing Tiers:
+  - Community (Free): Limited CLI — basic container lifecycle, ps, logs,
+    local CAS, basic networking, security profiles. 50 containers/node.
+  - Pro ($29/node/month): Full CLI + API unlocked. VMs, hybrid modes,
+    compose, advanced networking, tuning, tasks, services, events, config,
+    top, backups, QEMU profiles, desktop/ODE, distributed CAS, clustering,
+    deployments, CI/CD, mesh, vuln scan, BYOK. 500 containers/node.
+  - Enterprise ($99/node/month): + Scale-to-Zero, Packing, Frogger,
+    SSO, RBAC, audit, HSM/FIPS, cross-region CAS sync. Unlimited containers.
+
+Source-available (AGPSL v5) — anti-competition clauses apply to ALL code:
+  - Volt CLI (ALL commands, Community and Pro)
+  - Stellarium CAS (local and distributed)
+  - VoltVisor / Stardust (VMs + hybrid modes)
+  - All packages (networking, security, deploy, cdn, etc.)
+
+Proprietary (closed-source, separate binaries):
+  - Scale-to-Zero (Volt Edge)
+  - Small File Packing (EROFS/SquashFS)
+  - Frogger (database branching)
+  - License Validation Server
+
+Free binary: Pre-compiled binary with Community limits baked in.
+Distributed under usage license (no modification). No copyleft.
+
+Nonprofit Partner Program:
+  - Free Pro tier, unlimited nodes
+  - Requires verification + ongoing relationship
+*/
+package license
+
+const (
+	TierCommunity  = "community"
+	TierPro        = "pro"
+	TierEnterprise = "enterprise"
+)
+
+// Container limits per node by tier
+const (
+	CommunityMaxContainersPerNode  = 50
+	ProMaxContainersPerNode        = 500
+	EnterpriseMaxContainersPerNode = 0 // 0 = unlimited
+)
+
+// MaxContainersPerNode returns the container limit for a given tier
+func MaxContainersPerNode(tier string) int {
+	switch tier {
+	case TierPro:
+		return ProMaxContainersPerNode
+	case TierEnterprise:
+		return EnterpriseMaxContainersPerNode
+	default:
+		return CommunityMaxContainersPerNode
+	}
+}
+
+// TierFeatures maps each tier to its available features.
+// Higher tiers include all features from lower tiers.
+// NOTE: Feature gating enforcement is being implemented.
+// Enterprise-only proprietary features (Scale-to-Zero, Packing, Frogger)
+// are separate binaries and not gated here.
+//
+// CAS PIVOT (2026-03-20): "cas" (local CAS) moved to Community.
+// "cas-distributed" (cross-node dedup/replication) is Pro.
+// "cas-audit" and "cas-cross-region" are Enterprise.
+var TierFeatures = map[string][]string{
+	TierCommunity: {
+		// Core container runtime — bare minimum to run containers
+		"containers",
+		"networking-basic",  // Basic bridge networking only
+		"security-profiles",
+		"ps",                // List running containers (basic operational necessity)
+		"logs",              // View container logs (basic operational necessity)
+		// Stellarium Core — free for all (CAS pivot 2026-03-20)
+		// CAS is the universal storage path. Source-available (AGPSL v5), NOT open source.
+		"cas",           // Local CAS store, TinyVol assembly, single-node dedup
+		"cas-pull",      // Pull blobs from CDN
+		"cas-push",      // Push blobs to CDN
+		"encryption",    // LUKS + CDN blob encryption (baseline, all tiers)
+	},
+	TierPro: {
+		// Community features
+		"containers",
+		"networking-basic",
+		"security-profiles",
+		"ps",
+		"logs",
+		"cas",
+		"cas-pull",
+		"cas-push",
+		"encryption",
+		// Pro features (source-available, license-gated)
+		// --- Moved from Community (2026-03-20, Karl's decision) ---
+		"tuning",           // Resource tuning (CPU/mem/IO/net profiles)
+		"constellations",   // Compose/multi-container stacks
+		"bundles",          // .vbundle air-gapped deployment
+		"networking",       // Advanced networking: VLANs, policies, DNS, firewall rules
+		// --- VM / Hybrid (all modes gated) ---
+		"vms",              // VoltVisor / Stardust + ALL hybrid modes (native, KVM, emulated)
+		"qemu-profiles",    // Custom QEMU profile builds per workload
+		"desktop",          // Desktop/ODE integration
+		// --- Workload management ---
+		"tasks",            // One-shot jobs
+		"services",         // Long-running daemon management
+		"events",           // Event system
+		"config",           // Advanced config management
+		"top",              // Real-time resource monitoring
+		// --- Storage & ops ---
+		"backups",          // CAS-based backup/archive/restore
+		"cas-distributed",  // Cross-node CAS deduplication + replication
+		"cas-retention",    // CAS retention policies
+		"cas-analytics",    // Dedup analytics and reporting
+		"cluster",          // Multi-node cluster management
+		"rolling-deploy",   // Rolling + canary deployments
+		"cicada",           // CI/CD delivery pipelines
+		"gitops",           // GitOps webhook-driven deployments
+		"mesh-relay",       // Multi-region mesh networking
+		"vuln-scan",        // Vulnerability scanning
+		"encryption-byok",  // Bring Your Own Key encryption
+		"registry",         // OCI-compliant container registry (push access)
+	},
+	TierEnterprise: {
+		// Community features
+		"containers",
+		"networking-basic",
+		"security-profiles",
+		"ps",
+		"logs",
+		"cas",
+		"cas-pull",
+		"cas-push",
+		"encryption",
+		// Pro features
+		"tuning",
+		"constellations",
+		"bundles",
+		"networking",
+		"vms",
+		"qemu-profiles",
+		"desktop",
+		"tasks",
+		"services",
+		"events",
+		"config",
+		"top",
+		"backups",
+		"cas-distributed",
+		"cas-retention",
+		"cas-analytics",
+		"cluster",
+		"rolling-deploy",
+		"cicada",
+		"gitops",
+		"mesh-relay",
+		"vuln-scan",
+		"encryption-byok",
+		"registry",         // OCI-compliant container registry (push access)
+		// Enterprise features (in-binary, gated)
+		"cas-cross-region", // Cross-region CAS sync
+		"cas-audit",        // CAS access logging and audit
+		"blue-green",       // Blue-green deployments
+		"auto-scale",       // Automatic horizontal scaling
+		"live-migration",   // Live VM migration
+		"sso",              // SSO/SAML integration
+		"rbac",             // Role-based access control
+		"audit",            // Audit logging
+		"compliance",       // Compliance reporting + docs
+		"mesh-acl",         // Mesh access control lists
+		"gpu-passthrough",  // GPU passthrough for VMs
+		"sbom",             // Software bill of materials
+		"encryption-hsm",   // HSM/FIPS key management
+		// Enterprise proprietary features (separate binaries, listed for reference)
+		// "scale-to-zero"  — Volt Edge (closed-source)
+		// "file-packing"   — EROFS/SquashFS packing (closed-source)
+		// "frogger"        — Database branching proxy (closed-source)
+	},
+}
+
+// TierIncludes checks if a tier includes a specific feature
+func TierIncludes(tier, feature string) bool {
+	features, ok := TierFeatures[tier]
+	if !ok {
+		return false
+	}
+	for _, f := range features {
+		if f == feature {
+			return true
+		}
+	}
+	return false
+}
+
+// FeatureCount returns the number of features available for a tier
+func FeatureCount(tier string) int {
+	features, ok := TierFeatures[tier]
+	if !ok {
+		return 0
+	}
+	return len(features)
+}