Skip to content

chore: narrow BSL Additional Use Grant and add CLA #408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Aureliolo merged 8 commits into from
Mar 14, 2026
Merged

chore: narrow BSL Additional Use Grant and add CLA #408

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5173853
chore: narrow BSL Additional Use Grant and add CLA
Aureliolo Mar 14, 2026
3fdd487
fix: address pre-PR review findings
Aureliolo Mar 14, 2026
cf66128
fix: resolve zizmor findings in CLA and release workflows
Aureliolo Mar 14, 2026
f3d3abf
fix: address reviewer feedback on license consistency and CI
Aureliolo Mar 14, 2026
d19562a
refactor: merge redundant Source Available section into License & Usage
Aureliolo Mar 14, 2026
9f3b733
fix: remove pre-created CLA signatures file and clarify conversion ti…
Aureliolo Mar 14, 2026
82a3b5b
fix: move zizmor suppressions from inline comments to .zizmor.yml
Aureliolo Mar 14, 2026
8f53b02
fix: replace hardcoded Change Date with relative description
Aureliolo Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
## [0.1.4](https://github.com/Aureliolo/synthorg/compare/v0.1.3...v0.1.4) (2026-03-14)


### License

* narrow BSL 1.1 Additional Use Grant — free production use for non-competing organizations with fewer than 500 employees and contractors ([#406](https://github.com/Aureliolo/synthorg/issues/406))
* add Contributor License Agreement (CLA) with automated enforcement for dual-licensing support
* add licensing rationale documentation page explaining BSL choice, what's permitted, and invitation for feedback
* auto-update BSL Change Date to 3 years ahead on each release


### Features

* add approval workflow gates to TaskEngine ([#387](https://github.com/Aureliolo/synthorg/issues/387)) ([2db968a](https://github.com/Aureliolo/synthorg/commit/2db968a21fb0f0afa42eb990ee70cbb7b71d2ae5))
Expand Down
12 changes: 10 additions & 2 deletions .github/CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,14 @@ web/ # Web UI scaffold (nginx + placeholder)

See [docs/getting_started.md](../docs/getting_started.md) for descriptions of each sub-package.

## License
## License & CLA

This project is licensed under [BUSL-1.1](../LICENSE). By contributing, you agree that your contributions will be licensed under the same terms.
This project is licensed under [BUSL-1.1](../LICENSE) (Business Source License 1.1).

### Contributor License Agreement

Before your first contribution can be merged, you must sign the [Contributor License Agreement (CLA)](../CLA.md). This is required to enable dual-licensing (BSL + commercial licenses for enterprise customers).

**How to sign:** When you open your first pull request, a bot will post a comment asking you to sign. Simply reply with the text specified in the comment — no forms, no external services. Your signature is recorded as a JSON entry in this repository.

The CLA grants SynthOrg a perpetual, non-exclusive license to your contributions. You retain full ownership of your work and can use it however you wish.
45 changes: 45 additions & 0 deletions .github/workflows/cla.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: CLA

on:
issue_comment:
types: [created]
pull_request_target:
types: [opened, synchronize, reopened]
Comment thread
coderabbitai[bot] marked this conversation as resolved.

permissions: {}

jobs:
cla-check:
name: CLA Signature Check
runs-on: ubuntu-latest
if: |
(github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'dependabot[bot]') ||
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing bot/owner allowlist — CLA bot will fire on Release Please PRs

The only excluded actor is dependabot[bot], but Release Please also opens PRs to main — under RELEASE_PLEASE_TOKEN. If that token is a PAT, the CLA action will run against the PAT owner's GitHub account, prompting them (via bot comment) to sign the CLA on every release PR. If it is a GitHub App token, the action will attempt to check the app identity, which cannot sign.

contributor-assistant/github-action exposes an allowlist parameter for exactly this purpose. It accepts a comma-separated list of GitHub usernames (and supports wildcard *bot* patterns). Without it, every Release Please PR, plus any PR opened by the repo owner, generates an unnecessary CLA-unsigned comment.

Suggested change
(github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'dependabot[bot]') ||
if: |
(github.event_name == 'pull_request_target' &&
github.event.pull_request.user.login != 'dependabot[bot]' &&
!endsWith(github.event.pull_request.user.login, '[bot]')) ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')

Or, preferably, pass an allowlist to the action itself so the logic lives in one place:

        with:
          # …existing params…
          allowlist: Aureliolo,github-actions[bot],release-please[bot]
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/cla.yml
Line: 16

Comment:
**Missing bot/owner allowlist — CLA bot will fire on Release Please PRs**

The only excluded actor is `dependabot[bot]`, but Release Please also opens PRs to `main` — under `RELEASE_PLEASE_TOKEN`. If that token is a PAT, the CLA action will run against the PAT owner's GitHub account, prompting them (via bot comment) to sign the CLA on every release PR. If it is a GitHub App token, the action will attempt to check the app identity, which cannot sign.

`contributor-assistant/github-action` exposes an `allowlist` parameter for exactly this purpose. It accepts a comma-separated list of GitHub usernames (and supports wildcard `*bot*` patterns). Without it, every Release Please PR, plus any PR opened by the repo owner, generates an unnecessary CLA-unsigned comment.

```suggestion
    if: |
      (github.event_name == 'pull_request_target' &&
       github.event.pull_request.user.login != 'dependabot[bot]' &&
       !endsWith(github.event.pull_request.user.login, '[bot]')) ||
      (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')
```

Or, preferably, pass an `allowlist` to the action itself so the logic lives in one place:
```yaml
        with:
          # …existing params…
          allowlist: Aureliolo,github-actions[bot],release-please[bot]
```

How can I resolve this? If you propose a fix, please make it concise.

(github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')
permissions:
contents: write
pull-requests: write
actions: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: main
persist-credentials: false
- uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
path-to-signatures: .github/cla-signatures.json
path-to-document: CLA.md
branch: main
custom-notsigned-prcomment: |
Thank you for your contribution! Before we can merge this PR, you need to sign the [Contributor License Agreement](https://github.com/${{ github.repository }}/blob/main/CLA.md).

**To sign**, please reply to this comment with the following exact text:

> I have read the CLA Document and I hereby sign the CLA

You only need to sign once — it covers all future contributions.
custom-pr-sign-comment: I have read the CLA Document and I hereby sign the CLA
custom-allsigned-prcomment: All contributors have signed the CLA. Thank you!
lock-pullrequest-aftermerge: false
use-dco-flag: false
25 changes: 25 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,32 @@ jobs:
pull-requests: write
steps:
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
id: release
with:
token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
config-file: .github/release-please-config.json
manifest-file: .github/.release-please-manifest.json

# When Release Please creates/updates a release PR, update the BSL
# Change Date to 3 years from today. The date update ships as part
# of the release PR, so it goes through normal review + merge flow.
- name: Checkout Release PR branch
if: steps.release.outputs.pr != ''
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: release-please--branches--main # must match the repo default branch name
token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
Comment on lines +28 to +33
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "actions/checkout@|persist-credentials|RELEASE_PLEASE_TOKEN|git push" .github/workflows/release.yml

Repository: Aureliolo/synthorg

Length of output: 275

🏁 Script executed:

cat -n .github/workflows/release.yml | head -60

Repository: Aureliolo/synthorg

Length of output: 2090

🌐 Web query:

GitHub Actions persist-credentials false checkout token inline authentication best practice

💡 Result:

Best practice (vs “inline token in git URL”)

  • Prefer actions/checkout’s token: input (and/or ssh-key) instead of embedding a token in a remote URL. actions/checkout manages auth for you and removes it in post-job cleanup; you can opt out of persisting credentials with persist-credentials: false. [1]
  • Set persist-credentials: false unless later steps truly need to run authenticated git commands (push, fetch private submodules, etc.). Otherwise you’re intentionally making that credential available to subsequent steps in the job. [1]
  • Use least-privilege permissions for the job’s token (permissions:) to reduce blast radius if anything in the job is compromised. [2][3]
  • If you must access a different private repo, use a dedicated secret (PAT) via token: (or better, a GitHub App token), because github.token is scoped to the current repo. [1]

Example (safe default: no persisted git creds)

permissions:
  contents: read

steps:
  - uses: actions/checkout@v6
    with:
      persist-credentials: false
      fetch-depth: 0

Example (need to checkout another private repo)

permissions:
  contents: read

steps:
  - uses: actions/checkout@v6
    with:
      repository: my-org/my-private-tools
      token: ${{ secrets.GH_PAT }}
      persist-credentials: false

Why avoid “inline auth” (e.g., https://x-access-token:...@github.com/...): it’s easy to leak via logs, process listings, or persisted git config/remotes; using token: avoids having to place the credential in the URL at all. [1][2]

Avoid persisting PAT credentials during checkout.

The code checks out with a PAT without persist-credentials: false, leaving the token in git config for the job duration. However, the suggested approach of embedding the token directly in the git push URL is explicitly discouraged by GitHub Actions — credentials in URLs are easier to leak through logs or process listings.

Consider instead:

  • Use SSH keys for the checkout and git operations (preferred)
  • Or use token: with persist-credentials: false and pair it with SSH authentication for the push
🧰 Tools
🪛 GitHub Actions: Workflow Security

[warning] 28-28: Checkout Release PR branch: persist-credentials not set to false.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 28 - 33, The checkout step using
actions/checkout (uses: actions/checkout@de0fac2e450...) is persisting the PAT
in the job git config; update the step to avoid leaving credentials by adding
persist-credentials: false and then switch push operations to SSH (preferred) or
configure an SSH key via actions/checkout + ssh-agent so pushes use the SSH
remote; alternatively, if you must use the token for fetch, keep token: ${{
secrets.RELEASE_PLEASE_TOKEN }} but set persist-credentials: false and ensure
subsequent git push uses SSH auth (configure ssh-agent/setup-ssh) rather than
the persisted PAT.


- name: Update BSL Change Date (release + 3 years)
if: steps.release.outputs.pr != ''
Comment on lines +29 to +36
run: |
new_date=$(LC_TIME=C date -d "+3 years" "+%B %-d, %Y") # GNU date (ubuntu-latest)
echo "Updating Change Date to: $new_date"
sed -i "s/^Change Date: .*/Change Date: $new_date/" LICENSE
grep -q "^Change Date:.*$new_date" LICENSE || { echo "ERROR: sed pattern did not match; Change Date was not updated"; exit 1; }
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add LICENSE
git diff --cached --quiet && echo "Change Date already up to date" && exit 0
Comment thread
greptile-apps[bot] marked this conversation as resolved.
git commit -m "chore: update BSL Change Date to $new_date"
git push
13 changes: 13 additions & 0 deletions .zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,16 @@ rules:
# The project uses daily checks with grouped minor/patch to stay current.
dependabot-cooldown:
disable: true

dangerous-triggers:
ignore:
# pull_request_target is required for CLA enforcement (needs write
# access to commit signatures). Mitigated: checkout uses ref: main
# (not PR head), no untrusted input in run: steps.
- cla.yml

artipacked:
ignore:
# persist-credentials required to push the Change Date commit back
# to the release PR branch.
- release.yml
119 changes: 119 additions & 0 deletions CLA.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
# SynthOrg Contributor License Agreement

Thank you for your interest in contributing to SynthOrg. This Contributor
License Agreement ("Agreement") documents the rights granted by contributors
to the SynthOrg project.

This is a legally binding document, so please read it carefully before agreeing.

## 1. Definitions

"You" (or "Your") means the copyright owner or legal entity authorized by the
copyright owner that is making this Agreement. For legal entities, the entity
making a contribution and all other entities that control, are controlled by, or
are under common control with that entity are considered to be a single
contributor.

"Contribution" means any original work of authorship, including any
modifications or additions to an existing work, that is intentionally submitted
by You to SynthOrg for inclusion in, or documentation of, the project. For the
purposes of this definition, "submitted" means any form of electronic, verbal,
or written communication sent to the project maintainers, including but not
limited to communication on electronic mailing lists, source code control
systems, and issue tracking systems that are managed by, or on behalf of, the
project for the purpose of discussing and improving the work.

"Project" means the SynthOrg software project, including all repositories under
the SynthOrg organization.

## 2. Grant of Copyright License

Subject to the terms and conditions of this Agreement, You hereby grant to the
Project maintainers and to recipients of software distributed by the Project a
perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare derivative works of, publicly display,
publicly perform, sublicense, and distribute Your Contributions and such
derivative works.

## 3. Grant of Patent License

Subject to the terms and conditions of this Agreement, You hereby grant to the
Project maintainers and to recipients of software distributed by the Project a
perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
patent license to make, have made, use, offer to sell, sell, import, and
otherwise transfer the work, where such license applies only to those patent
claims licensable by You that are necessarily infringed by Your Contribution(s)
alone or by combination of Your Contribution(s) with the work to which such
Contribution(s) was submitted.

## 4. Outbound Licensing

As a condition on the grant of rights in Sections 2 and 3, the Project
maintainers agree to license the Contribution under the terms of the license(s)
that the Project uses for the work at the time of the Contribution (including
any additional licensing arrangements). The Project may offer the Contribution
under additional license terms, including commercial licenses, to enable
dual-licensing.

## 5. Representations

You represent that:

(a) You are legally entitled to grant the above licenses. If your employer(s)
has rights to intellectual property that you create that includes your
Contributions, you represent that you have received permission to make
Contributions on behalf of that employer, or that your employer has waived such
rights for your Contributions to the Project.

(b) Each of Your Contributions is Your original creation. You represent that
Your Contribution submissions include complete details of any third-party
license or other restriction (including, but not limited to, related patents and
trademarks) of which you are personally aware and which are associated with any
part of Your Contributions.

(c) You are not expected to provide support for Your Contributions, except to
the extent You desire to provide support. You may provide support for free, for
a fee, or not at all.

## 6. Retention of Rights

You retain ownership of the copyright in Your Contributions. This Agreement
does not transfer ownership; it only grants the licenses described above. You
are free to use Your Contributions in any way you see fit, including licensing
them to others under any terms you choose.

## 7. Attribution

The Project maintainers will make reasonable efforts to include attribution to
contributors, such as maintaining a contributors list or preserving authorship
information in version control history.

## 8. No Obligation

You acknowledge that the Project maintainers are under no obligation to accept
or include Your Contributions in the Project.

---

## How to Sign

When you open your first pull request to SynthOrg, a bot will comment asking
you to sign this CLA. To sign, reply to the bot's comment with the exact text
it specifies. Your signature is stored in this repository at
`.github/cla-signatures.json`.

You only need to sign once — the agreement covers all future contributions.

---

## Corporate Contributions

If you are making contributions on behalf of a company or organization, an
authorized representative of the organization must sign a Corporate CLA. To
initiate this, please open an issue titled "Corporate CLA: [Organization Name]"
and a maintainer will follow up.

The Corporate CLA covers the same terms as above, extended to all employees and
contractors authorized by the organization to contribute. The authorized
representative must list the GitHub usernames of individuals covered by the
agreement.
6 changes: 4 additions & 2 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

- **What**: Framework for building synthetic organizations — autonomous AI agents orchestrated as a virtual company
- **Python**: 3.14+ (PEP 649 native lazy annotations)
- **License**: BUSL-1.1 (converts to Apache 2.0 on 2030-02-27)
- **License**: BUSL-1.1 with narrowed Additional Use Grant (free production use for non-competing small orgs; converts to Apache 2.0 three years after release)
- **Layout**: `src/ai_company/` (src layout), `tests/` (unit/integration/e2e), `web/` (Vue 3 dashboard), `cli/` (Go CLI binary)
- **Design**: [DESIGN_SPEC.md](DESIGN_SPEC.md) (pointer to `docs/design/` pages)

Expand Down Expand Up @@ -72,6 +72,7 @@ cd cli && golangci-lint run # lint
- **Architecture**: `docs/architecture/` (overview, tech-stack, decision log)
- **Roadmap**: `docs/roadmap/` (status, open questions, future vision)
- **Security**: `docs/security.md` (comprehensive security architecture, hardening, CI/CD security, compliance)
- **Licensing**: `docs/licensing.md` (license rationale, what's permitted, CLA, FAQ)
- **Reference**: `docs/reference/` (research, standards)
- **REST API reference**: `docs/rest-api.md` — links to standalone Scalar UI page at `docs/_generated/api-reference.html` (both generated by `scripts/export_openapi.py` in CI)
- **Library reference**: `docs/api/` — auto-generated from docstrings via mkdocstrings + Griffe (AST-based, no imports)
Expand Down Expand Up @@ -261,7 +262,8 @@ cli/ # Go CLI binary (cross-platform, manages Docker lifecycle)
- **OSSF Scorecard**: `.github/workflows/scorecard.yml` — supply chain maturity scoring on push to main + weekly schedule. SARIF upload to Security tab. Contributes to OpenSSF ecosystem data via `publish_results: true`.
- **DAST**: `.github/workflows/dast.yml` — ZAP API scan against the backend OpenAPI spec on push to main + weekly schedule. Builds backend image locally, starts container, runs ZAP. Results available as workflow artifacts (no SARIF — action v0.10.0 lacks native SARIF output). Not on PRs (too slow).
- **Socket.dev**: GitHub App — supply chain attack detection on PRs (typosquatting, malware, suspicious ownership changes, obfuscated code). No config file needed, auto-comments on PRs.
- **Release**: `.github/workflows/release.yml` — Release Please (Google) auto-creates a release PR on every push to main. Merging the release PR creates a git tag (`vX.Y.Z`) + GitHub Release with changelog. Tag push triggers the Docker workflow to build version-tagged images. Uses `RELEASE_PLEASE_TOKEN` secret (PAT/GitHub App token) so tag creation triggers downstream workflows (GITHUB_TOKEN cannot). Config in `.github/release-please-config.json` and `.github/.release-please-manifest.json`.
- **CLA**: `.github/workflows/cla.yml` — Contributor License Agreement signature check on PRs via `contributor-assistant/github-action`. Triggers on `pull_request_target` and `issue_comment`. Skips Dependabot. Signatures stored in `.github/cla-signatures.json`.
- **Release**: `.github/workflows/release.yml` — Release Please (Google) auto-creates a release PR on every push to main. Merging the release PR creates a git tag (`vX.Y.Z`) + GitHub Release with changelog. Tag push triggers the Docker workflow to build version-tagged images. Uses `RELEASE_PLEASE_TOKEN` secret (PAT/GitHub App token) so tag creation triggers downstream workflows (GITHUB_TOKEN cannot). Config in `.github/release-please-config.json` and `.github/.release-please-manifest.json`. After creating/updating a release PR, auto-updates the BSL Change Date in LICENSE to 3 years ahead.

## Dependencies

Expand Down
40 changes: 25 additions & 15 deletions LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,31 @@ Parameters

Licensor: Aurelio
Licensed Work: SynthOrg. The Licensed Work is (c) 2026 Aurelio.
Additional Use Grant: You may make non-production use of the Licensed Work for
personal, educational, research, and evaluation purposes only.
Production use and commercial use of the Licensed Work require
a separate commercial license from the Licensor.

"Production use" means using the Licensed Work or any
derivative work in a live, revenue-generating, or
business-critical environment, including but not limited to:
deploying the Licensed Work as part of a commercial product or
service, using it to generate revenue directly or indirectly,
or offering it to third parties on a hosted or embedded basis.

"Non-production use" means use solely for personal learning,
academic research, testing, development, and evaluation in
non-commercial settings.
Additional Use Grant: You may use the Licensed Work in production, provided
that:

(a) You do not offer the Licensed Work, or any product
or service whose substantial value derives from the
functionality of the Licensed Work, to third parties on
a hosted, managed, or embedded basis ("Competing Use");
and

(b) Your organization, together with its affiliates, has
fewer than 500 employees and individual contractors at
the time of use ("Small Organization").

Organizations that meet both (a) and (b) may use the
Licensed Work freely in production without a separate
license. All other production use — including Competing
Use by any organization, or any production use by
organizations with 500 or more employees and individual
contractors — requires a commercial license from the
Licensor, which may be granted at no cost at the
Licensor's discretion.

Non-production use (personal learning, academic research,
testing, development, evaluation) is always permitted
regardless of organization size.
Change Date: February 27, 2030
Change License: Apache License, Version 2.0

Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<p align="center">
<a href="https://github.com/Aureliolo/synthorg/actions/workflows/ci.yml"><img src="https://github.com/Aureliolo/synthorg/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
<a href="https://codecov.io/gh/Aureliolo/synthorg"><img src="https://codecov.io/gh/Aureliolo/synthorg/branch/main/graph/badge.svg" alt="Coverage"></a>
<a href="https://github.com/Aureliolo/synthorg/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-BSL_1.1-blue" alt="License"></a>
<a href="https://github.com/Aureliolo/synthorg/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-BSL_1.1_(source_available)-blue" alt="License"></a>
<a href="https://www.python.org/downloads/"><img src="https://img.shields.io/badge/python-3.14%2B-blue" alt="Python"></a>
<a href="https://synthorg.io/docs"><img src="https://img.shields.io/badge/docs-synthorg.io-purple" alt="Docs"></a>
<a href="https://securityscorecards.dev/viewer/?uri=github.com/Aureliolo/synthorg"><img src="https://api.securityscorecards.dev/projects/github.com/Aureliolo/synthorg/badge" alt="OpenSSF Scorecard"></a>
Expand Down Expand Up @@ -155,4 +155,4 @@ Core framework complete — agent engine, multi-agent coordination, API, securit

## License

[Business Source License 1.1](LICENSE) — converts to Apache 2.0 on 2030-02-27.
[Business Source License 1.1](LICENSE) — free production use for non-competing organizations with fewer than 500 employees and contractors. Each version converts to Apache 2.0 three years after release. See [licensing details](https://synthorg.io/docs/licensing/) for the full rationale and what's permitted.
3 changes: 2 additions & 1 deletion docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,4 +130,5 @@ The design spec covers the full architecture of SynthOrg — from agent identity
## Links

- [GitHub Repository](https://github.com/Aureliolo/synthorg)
- [License](https://github.com/Aureliolo/synthorg/blob/main/LICENSE) (BSL 1.1 → Apache 2.0 on 2030-02-27)
- [License](https://github.com/Aureliolo/synthorg/blob/main/LICENSE) (BSL 1.1, source available — free production use for non-competing small orgs; converts to Apache 2.0 three years after release)
- [Licensing & Usage](licensing.md) — what's permitted, why BSL, and how to get a commercial license
Loading
Loading