The rederive Promise

0Why this document exists

rederive's product is trust. A "trust-nothing" package manager whose steward can be trusted only on their word is a contradiction — so we are not asking for your word. We are signing ours.

We have watched this movie. An open project earns a community, becomes load-bearing infrastructure, and then — under growth pressure or an investor's spreadsheet — relicenses, hobbles the free tier, or quietly betrays the people who built its adoption. (Terraform → BSL → the OpenTofu fork is the canonical case.) The community always knew it was possible, because nothing was ever promised in writing.

This charter is that writing. It binds Apilify Inc. regardless of ownership, funding, board, or acquisition.

1Make something awesome, first

The mission is to build the best verified-recompose toolchain and the most useful catalog of verified packages in the world — and give it away. Monetization follows adoption; it never precedes it and never compromises it. If a feature is needed to verify or re-derive software, it lives in the open core — full stop. Greatness of the free thing is the strategy, not a loss leader for it.

2What is open — and stays open

The open core is licensed Apache-2.0 and comprises, at minimum:

The rdv CLI — check, vis, resynth, and any command required to verify or re-derive a package.
The SIR specification and package format — developed as an open standard.
The verified-recompose loop — decompile → held-out oracle → quorum re-derivation.
The public catalog of @rederive/* verified packages and their contracts.

The durability promise

Released open versions stay open forever — the Apache-2.0 grant is irrevocable; no change-date, no clawback. The line moves only outward — we may open more, never close what is open. No retroactive relicensing — any future license change applies only going forward, is announced in advance, and never touches a released version. Your right to fork the last open release is guaranteed by the license and sacred to us.

3The catalog is a public good

Re-releasing verified, dependency-free replacements for abandoned, sabotaged, or risky packages is a gift to the commons — and, frankly, our best marketing. Every @rederive/* package is proof the method works, in public, for free.

The public catalog is free, forever.
We will never paywall the ability to verify or re-derive a public package. If colors is in the catalog, anyone can rdv check or rdv resynth it at no cost, today and always.
We publish the contract — spec + held-out oracle + hashes — not just the bytes, so the verification is yours to run, not ours to gatekeep.

4What we charge for — and what we never will

Revenue comes from making rederive better for teams and enterprises operating it at scale — value a fork of the CLI does not hand you.

Fair to charge for

Managed re-derivation — hosted, on-demand
Private catalogs for internal/proprietary code
Continuous verification & drift alerts
Governance — SSO/SAML, RBAC, audit logs
Compliance attestation — EU CRA / SSDF / SOC 2 evidence
Support, SLAs, and indemnification

We will never

Charge to verify or re-derive a public package
Remove or degrade a core capability to force an upgrade
Ship a deliberately hobbled open version beside a paid one
Put the format or spec behind a fee, license, or patent assertion
Sell user telemetry or run ads in the open-source tool
Use a contributor agreement to privatize contributors' work

5How we treat the community

Contributions are credited. We use a lightweight DCO model; no CLA that lets us privatize what you gave us.
We upstream our fixes to the open core rather than hoarding them for the paid tier.
We don't compete unfairly with our own ecosystem. If someone builds a great thing on rederive, we don't clone-and-bundle to kill it.
Security findings are handled in the open, with credit, on a responsible-disclosure timeline.

6Monetization timing

We will not introduce paid tiers until the open core is genuinely adopted and loved — measured by real usage, not by our impatience for revenue. When paid tiers arrive, every one of them must pass the same test:

The test for every paid feature

Does this make the team / enterprise experience better — without making the individual / open-source experience worse? If a feature only works by degrading the free experience, it fails this charter and we don't ship it.

7The anti-rug-pull mechanism

These promises are not aspirational; they are a condition of the trust that is the company's primary asset. Breaking them does not unlock revenue — it destroys the moat. We state that plainly so that any future pressure to violate this charter meets this sentence: doing so vaporizes the thing that makes rederive valuable.

This charter binds Apilify Inc. through any change of ownership, investment, board composition, or acquisition.
Amendments are published openly, take effect only going forward, and never retroactively reduce a freedom already granted.
The community's right to fork the open core is permanent and guaranteed by Apache-2.0. We consider a fork the ultimate check on us, and we accept it.

We additionally commit to evaluate, as the company matures, an eventual-open guarantee — converting commercial source to the open license after a fixed period — recorded here so we are held to the conversation.

Signed,
Lane Thompson — Founder & CEO, Apilify Inc.

This is the canonical version and supersedes any contrary statement elsewhere. To report a violation, open an issue or email lane@apilify.com.