0ebe75b2ca
Complete infrastructure platform CLI: - Container runtime (systemd-nspawn) - VoltVisor VMs (Neutron Stardust / QEMU) - Stellarium CAS (content-addressed storage) - ORAS Registry - GitOps integration - Landlock LSM security - Compose orchestration - Mesh networking Copyright (c) Armored Gates LLC. All rights reserved. Licensed under AGPSL v5.0
209 lines
7.0 KiB
Go
209 lines
7.0 KiB
Go
/*
|
|
Volt Platform — Feature Gating
|
|
Tier-based feature definitions and access control infrastructure
|
|
|
|
TWO-LICENSE MODEL (revised 2026-03-20):
|
|
ALL source code is AGPSL v5 (source-available). NOTHING is open source.
|
|
Proprietary components are closed-source separate binaries.
|
|
|
|
Licensing Tiers:
|
|
- Community (Free): Limited CLI — basic container lifecycle, ps, logs,
|
|
local CAS, basic networking, security profiles. 50 containers/node.
|
|
- Pro ($29/node/month): Full CLI + API unlocked. VMs, hybrid modes,
|
|
compose, advanced networking, tuning, tasks, services, events, config,
|
|
top, backups, QEMU profiles, desktop/ODE, distributed CAS, clustering,
|
|
deployments, CI/CD, mesh, vuln scan, BYOK. 500 containers/node.
|
|
- Enterprise ($99/node/month): + Scale-to-Zero, Packing, Frogger,
|
|
SSO, RBAC, audit, HSM/FIPS, cross-region CAS sync. Unlimited containers.
|
|
|
|
Source-available (AGPSL v5) — anti-competition clauses apply to ALL code:
|
|
- Volt CLI (ALL commands, Community and Pro)
|
|
- Stellarium CAS (local and distributed)
|
|
- VoltVisor / Stardust (VMs + hybrid modes)
|
|
- All packages (networking, security, deploy, cdn, etc.)
|
|
|
|
Proprietary (closed-source, separate binaries):
|
|
- Scale-to-Zero (Volt Edge)
|
|
- Small File Packing (EROFS/SquashFS)
|
|
- Frogger (database branching)
|
|
- License Validation Server
|
|
|
|
Free binary: Pre-compiled binary with Community limits baked in.
|
|
Distributed under usage license (no modification). No copyleft.
|
|
|
|
Nonprofit Partner Program:
|
|
- Free Pro tier, unlimited nodes
|
|
- Requires verification + ongoing relationship
|
|
*/
|
|
package license
|
|
|
|
const (
|
|
TierCommunity = "community"
|
|
TierPro = "pro"
|
|
TierEnterprise = "enterprise"
|
|
)
|
|
|
|
// Container limits per node by tier
|
|
const (
|
|
CommunityMaxContainersPerNode = 50
|
|
ProMaxContainersPerNode = 500
|
|
EnterpriseMaxContainersPerNode = 0 // 0 = unlimited
|
|
)
|
|
|
|
// MaxContainersPerNode returns the container limit for a given tier
|
|
func MaxContainersPerNode(tier string) int {
|
|
switch tier {
|
|
case TierPro:
|
|
return ProMaxContainersPerNode
|
|
case TierEnterprise:
|
|
return EnterpriseMaxContainersPerNode
|
|
default:
|
|
return CommunityMaxContainersPerNode
|
|
}
|
|
}
|
|
|
|
// TierFeatures maps each tier to its available features.
|
|
// Higher tiers include all features from lower tiers.
|
|
// NOTE: Feature gating enforcement is being implemented.
|
|
// Enterprise-only proprietary features (Scale-to-Zero, Packing, Frogger)
|
|
// are separate binaries and not gated here.
|
|
//
|
|
// CAS PIVOT (2026-03-20): "cas" (local CAS) moved to Community.
|
|
// "cas-distributed" (cross-node dedup/replication) is Pro.
|
|
// "cas-audit" and "cas-cross-region" are Enterprise.
|
|
var TierFeatures = map[string][]string{
|
|
TierCommunity: {
|
|
// Core container runtime — bare minimum to run containers
|
|
"containers",
|
|
"networking-basic", // Basic bridge networking only
|
|
"security-profiles",
|
|
"ps", // List running containers (basic operational necessity)
|
|
"logs", // View container logs (basic operational necessity)
|
|
// Stellarium Core — free for all (CAS pivot 2026-03-20)
|
|
// CAS is the universal storage path. Source-available (AGPSL v5), NOT open source.
|
|
"cas", // Local CAS store, TinyVol assembly, single-node dedup
|
|
"cas-pull", // Pull blobs from CDN
|
|
"cas-push", // Push blobs to CDN
|
|
"encryption", // LUKS + CDN blob encryption (baseline, all tiers)
|
|
},
|
|
TierPro: {
|
|
// Community features
|
|
"containers",
|
|
"networking-basic",
|
|
"security-profiles",
|
|
"ps",
|
|
"logs",
|
|
"cas",
|
|
"cas-pull",
|
|
"cas-push",
|
|
"encryption",
|
|
// Pro features (source-available, license-gated)
|
|
// --- Moved from Community (2026-03-20, Karl's decision) ---
|
|
"tuning", // Resource tuning (CPU/mem/IO/net profiles)
|
|
"constellations", // Compose/multi-container stacks
|
|
"bundles", // .vbundle air-gapped deployment
|
|
"networking", // Advanced networking: VLANs, policies, DNS, firewall rules
|
|
// --- VM / Hybrid (all modes gated) ---
|
|
"vms", // VoltVisor / Stardust + ALL hybrid modes (native, KVM, emulated)
|
|
"qemu-profiles", // Custom QEMU profile builds per workload
|
|
"desktop", // Desktop/ODE integration
|
|
// --- Workload management ---
|
|
"tasks", // One-shot jobs
|
|
"services", // Long-running daemon management
|
|
"events", // Event system
|
|
"config", // Advanced config management
|
|
"top", // Real-time resource monitoring
|
|
// --- Storage & ops ---
|
|
"backups", // CAS-based backup/archive/restore
|
|
"cas-distributed", // Cross-node CAS deduplication + replication
|
|
"cas-retention", // CAS retention policies
|
|
"cas-analytics", // Dedup analytics and reporting
|
|
"cluster", // Multi-node cluster management
|
|
"rolling-deploy", // Rolling + canary deployments
|
|
"cicada", // CI/CD delivery pipelines
|
|
"gitops", // GitOps webhook-driven deployments
|
|
"mesh-relay", // Multi-region mesh networking
|
|
"vuln-scan", // Vulnerability scanning
|
|
"encryption-byok", // Bring Your Own Key encryption
|
|
"registry", // OCI-compliant container registry (push access)
|
|
},
|
|
TierEnterprise: {
|
|
// Community features
|
|
"containers",
|
|
"networking-basic",
|
|
"security-profiles",
|
|
"ps",
|
|
"logs",
|
|
"cas",
|
|
"cas-pull",
|
|
"cas-push",
|
|
"encryption",
|
|
// Pro features
|
|
"tuning",
|
|
"constellations",
|
|
"bundles",
|
|
"networking",
|
|
"vms",
|
|
"qemu-profiles",
|
|
"desktop",
|
|
"tasks",
|
|
"services",
|
|
"events",
|
|
"config",
|
|
"top",
|
|
"backups",
|
|
"cas-distributed",
|
|
"cas-retention",
|
|
"cas-analytics",
|
|
"cluster",
|
|
"rolling-deploy",
|
|
"cicada",
|
|
"gitops",
|
|
"mesh-relay",
|
|
"vuln-scan",
|
|
"encryption-byok",
|
|
"registry", // OCI-compliant container registry (push access)
|
|
// Enterprise features (in-binary, gated)
|
|
"cas-cross-region", // Cross-region CAS sync
|
|
"cas-audit", // CAS access logging and audit
|
|
"blue-green", // Blue-green deployments
|
|
"auto-scale", // Automatic horizontal scaling
|
|
"live-migration", // Live VM migration
|
|
"sso", // SSO/SAML integration
|
|
"rbac", // Role-based access control
|
|
"audit", // Audit logging
|
|
"compliance", // Compliance reporting + docs
|
|
"mesh-acl", // Mesh access control lists
|
|
"gpu-passthrough", // GPU passthrough for VMs
|
|
"sbom", // Software bill of materials
|
|
"encryption-hsm", // HSM/FIPS key management
|
|
// Enterprise proprietary features (separate binaries, listed for reference)
|
|
// "scale-to-zero" — Volt Edge (closed-source)
|
|
// "file-packing" — EROFS/SquashFS packing (closed-source)
|
|
// "frogger" — Database branching proxy (closed-source)
|
|
},
|
|
}
|
|
|
|
// TierIncludes checks if a tier includes a specific feature
|
|
func TierIncludes(tier, feature string) bool {
|
|
features, ok := TierFeatures[tier]
|
|
if !ok {
|
|
return false
|
|
}
|
|
for _, f := range features {
|
|
if f == feature {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// FeatureCount returns the number of features available for a tier
|
|
func FeatureCount(tier string) int {
|
|
features, ok := TierFeatures[tier]
|
|
if !ok {
|
|
return 0
|
|
}
|
|
return len(features)
|
|
}
|