DreamLab-AI
diff --git a/‎CHANGELOG.md‎
Lines changed: 18 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 18 additions & 4 deletions b/‎CONTRIBUTING.md‎
Lines changed: 18 additions & 4 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 2 deletions b/‎Cargo.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎LICENSE‎
Lines changed: 661 additions & 0 deletions b/‎LICENSE‎
Lines changed: 661 additions & 0 deletions
diff --git a/‎LICENSE-APACHE‎
Lines changed: 0 additions & 17 deletions b/‎LICENSE-APACHE‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎LICENSE-MIT‎
Lines changed: 0 additions & 22 deletions b/‎LICENSE-MIT‎
Lines changed: 0 additions & 22 deletions
diff --git a/‎NOTICE‎
Lines changed: 46 additions & 103 deletions b/‎NOTICE‎
Lines changed: 46 additions & 103 deletions
diff --git a/‎README.md‎
Lines changed: 25 additions & 26 deletions b/‎README.md‎
Lines changed: 25 additions & 26 deletions
@@ -4,6 +4,24 @@ All notable changes to this crate are recorded here. Format follows
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the crate
 adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.3.0-alpha.3 — 2026-04-20
+
+### Licence migration (BREAKING)
+
+- Licence changed from dual `MIT OR Apache-2.0` to `AGPL-3.0-only`.
+- Inherited from the JavaScriptSolidServer (JSS) ecosystem covenant; JSS
+  is AGPL-3.0, and solid-pod-rs preserves the network-service copyleft
+  protection rather than weakening it with a permissive relicence.
+- `LICENSE-MIT` and `LICENSE-APACHE` removed; `LICENSE` added with full
+  AGPL-3.0 text.
+- `Cargo.toml` `license` field updated to `"AGPL-3.0-only"`.
+- `NOTICE` rewritten to document AGPL covenant + full provenance chain.
+- `deny.toml` added with AGPL-3.0 on the allowlist for the dependency
+  graph; the denylist posture remains deny-by-default for anything not
+  on the allowlist.
+- Consumers: if you're operating solid-pod-rs as a network service, AGPL
+  §13 requires you to distribute corresponding source to your users.
+
 ## [0.3.0-alpha.2] — 2026-04-20
 
 ### Fixed
 
@@ -88,10 +88,24 @@ deferrals.
 
 ## Licence on contributions
 
-By contributing, you agree that your code is licensed under the dual
-MIT OR Apache-2.0 licence that covers this crate. This mirrors the
-Rust ecosystem norm and is compatible with the Community Solid
-Server's MIT licence.
+solid-pod-rs is licensed **AGPL-3.0-only**, inherited from the
+JavaScriptSolidServer (JSS) ecosystem covenant. By submitting a
+contribution (patch, PR, documentation change) you agree that your
+contribution is licensed under the same AGPL-3.0-only terms, and that
+you have the right to release it under those terms. There is no
+separate CLA; the licence on the file you edit is the licence on your
+change.
+
+Practical implications:
+
+- Contributions under a permissive licence (MIT / Apache-2.0 / BSD)
+  are accepted — permissive upstream code can be relicensed on inbound,
+  and the crate remains AGPL on outbound.
+- Contributions under an incompatible copyleft licence (e.g. GPL-2.0-
+  only, SSPL, BUSL) cannot be merged.
+- If your employer requires a DCO / CLA process, please sign your
+  commits with `git commit -s` and flag the PR so we can record the
+  trail.
 
 ## Security
 
 
@@ -1,9 +1,9 @@
 [package]
 name = "solid-pod-rs"
-version = "0.3.0-alpha.2"
+version = "0.3.0-alpha.3"
 edition = "2021"
 rust-version = "1.75"
-license = "MIT OR Apache-2.0"
+license = "AGPL-3.0-only"
 description = "Rust-native Solid Pod server — LDP-BASIC, WAC, NIP-98, Solid-OIDC, Solid Notifications. Framework-agnostic library crate."
 authors = [
     "DreamLab AI contributors",
 
@@ -1,108 +1,51 @@
-solid-pod-rs
-============
+NOTICE — solid-pod-rs
+=====================
 
-This crate is a Rust-native implementation of a Solid Pod server
-providing LDP-BASIC (Linked Data Platform), WAC (Web Access Control),
-NIP-98 HTTP authentication, Solid-OIDC (0.1), WebID profile
-documents, and Solid Notifications (0.2).
+Copyright (c) 2026 DreamLab-AI and contributors.
 
-Provenance
-----------
-
-solid-pod-rs was extracted from the VisionClaw repository:
-
-    Source:    https://github.com/DreamLab-AI/VisionClaw
-    Path:      crates/solid-pod-rs/
-    Extracted: 2026-04-20
-
-The extraction is a verbatim snapshot of the crate source; no
-VisionClaw-specific code lives in this repository. Extraction history
-is preserved in the `solid-pod-rs-history.bundle` distributed with the
-initial commit.
-
-Upstream lineage
-----------------
-
-1. The WAC evaluator, LDP container semantics, NIP-98 structural
-   checks, and pod provisioning flows originated in the `pod-worker`
-   crate of the community-forum-rs project (AGPL-3.0 in its original
-   context; re-licensed here under MIT OR Apache-2.0 by the copyright
-   holders for clean-room re-use):
-
-       https://github.com/DreamLab-AI/dreamlab-ai-website
-       Path: community-forum-rs/crates/pod-worker
-
-2. community-forum-rs's pod-worker was authored by the DreamLab AI
-   team as a Rust port of their earlier TypeScript `workers/pod-api/`.
-
-3. The project architecture, LDP surface area, and WAC evaluation
-   model draw heavily on JavaScriptSolidServer ("JSS"), maintained by
-   the JavaScriptSolidServer contributors, licensed AGPL-3.0-only:
-
-       https://github.com/JavaScriptSolidServer/JavaScriptSolidServer
-
-   JSS served as the canonical parity reference during porting. We
-   gratefully acknowledge the JavaScriptSolidServer contributors'
-   work in making the Solid Protocol concretely buildable in
-   JavaScript, which made this Rust port tractable.
-
-4. The Solid Protocol specifications (LDP, WAC, Solid-OIDC, Solid
-   Notifications, WebID) are authored by the W3C Solid Community Group
-   and associated W3C working groups. solid-pod-rs tracks:
+This program is free software: you can redistribute it and/or modify it
+under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, version 3.
 
-       - Solid Protocol 0.11:    https://solidproject.org/TR/protocol
-       - WAC:                    https://solidproject.org/TR/wac
-       - Solid-OIDC 0.1:         https://solidproject.org/TR/oidc
-       - Solid Notifications 0.2: https://solidproject.org/TR/notifications-protocol
-       - W3C LDP:                https://www.w3.org/TR/ldp/
+See LICENSE for full AGPL-3.0 terms.
 
-5. NIP-98 (Nostr HTTP authentication) is specified by the Nostr
-   community:
-
-       https://github.com/nostr-protocol/nips/blob/master/98.md
-
-Third-party crates
-------------------
-
-solid-pod-rs depends on community Rust crates including tokio,
-serde, reqwest, spargebra, tokio-tungstenite, jsonwebtoken,
-openidconnect, aws-sdk-s3, and notify. Each retains its own licence;
-see `cargo-about` or `cargo-deny` output for full attribution.
-
-Licensing
----------
-
-Dual-licensed under MIT OR Apache-2.0, at your option. This choice
-matches Rust ecosystem convention.
-
-See `LICENSE-MIT` and `LICENSE-APACHE` for the full texts.
-
-Contributions unless explicitly marked otherwise are accepted under
-the same dual licence per the Apache 2.0 contribution clause.
-
-Licence relationship to JavaScriptSolidServer (JSS)
----------------------------------------------------
-
-JavaScriptSolidServer (https://github.com/JavaScriptSolidServer/JavaScriptSolidServer)
-is licensed AGPL-3.0-only. This Rust crate is NOT a derivative work of JSS's
-JavaScript source code. Specifically:
-
-- The Rust implementation originates from community-forum-rs/crates/pod-worker
-  (written in Rust from scratch, inspired by but not copied from any Solid
-  server implementation).
-- We read JSS's source as a reference-only resource to understand Solid
-  Protocol 0.11 + WAC + LDP + Solid-OIDC + Solid Notifications behaviour.
-- No JSS JavaScript was translated, transliterated, or machine-ported into
-  this crate.
-- The WAC inheritance test corpus (`tests/wac_inheritance.rs`) was
-  independently authored to exercise equivalent edge cases documented by
-  the Solid Protocol. Where test SCENARIOS resemble JSS's own tests,
-  that is because the Solid Protocol admits a finite number of edge cases,
-  not because test code was copied.
-- The JSS-interop fixture tests (`tests/interop_jss.rs`) test against the
-  Solid Protocol via independently-authored request/response fixtures;
-  they do not embed JSS code.
+Provenance
+----------
 
-On that basis this crate is licensed MIT OR Apache-2.0 dual. Consumers who
-wish to bundle JSS and this crate together should verify their own
-compliance with AGPL-3.0's network-service clause for JSS.
+solid-pod-rs inherits its licence from the JavaScriptSolidServer (JSS)
+ecosystem covenant. JSS is an AGPL-3.0-only project maintained by the
+JavaScriptSolidServer organisation at
+https://github.com/JavaScriptSolidServer/JavaScriptSolidServer.
+
+The Rust implementation lineage:
+
+1. JSS (JavaScript, AGPL-3.0-only) — reference implementation + ecosystem
+   covenant origin.
+2. community-forum-rs pod-worker (Rust, AGPL-3.0) — Cloudflare-Worker-
+   specific Rust implementation; original source of the LDP + WAC + NIP-98
+   modules that seeded this crate.
+3. VisionClaw crates/solid-pod-rs (Rust, AGPL-3.0) — extracted + extended
+   to a portable crate with FS/Memory/S3/R2 backends, Solid-OIDC, full
+   Solid Notifications, and 67/67 JSS parity.
+4. dreamlab-ai/solid-pod-rs (Rust, AGPL-3.0) — this standalone repo.
+
+We inherit AGPL-3.0 deliberately to preserve the network-service copyleft
+protection JSS established. Downstream consumers operating solid-pod-rs
+as a network-accessible service must make their corresponding source code
+available to their users per AGPL §13.
+
+Solid Protocol
+--------------
+
+Implementation follows the W3C Solid Protocol 0.11. Protocol specifications
+themselves are not under any licence claim from this project.
+
+Attribution
+-----------
+
+Our gratitude to:
+- the JavaScriptSolidServer contributors for the reference implementation
+  and the AGPL-3.0 covenant we inherit
+- the community-forum-rs contributors for the Rust-native pod-worker lineage
+- the W3C Solid Protocol editors for the specifications
+- the Rust ecosystem crates this work depends on (see Cargo.toml)
@@ -4,7 +4,7 @@
 > Framework-agnostic library crate. Deny-by-default WAC. First-class Nostr auth.
 > Zero Node.js runtime dependency.
 
-[![License: MIT OR Apache-2.0](https://img.shields.io/badge/License-MIT%20OR%20Apache--2.0-blue.svg)](#licence)
+[![License: AGPL-3.0-only](https://img.shields.io/badge/License-AGPL--3.0--only-blue.svg)](#licence)
 [![crates.io](https://img.shields.io/crates/v/solid-pod-rs.svg)](https://crates.io/crates/solid-pod-rs)
 [![docs.rs](https://img.shields.io/docsrs/solid-pod-rs)](https://docs.rs/solid-pod-rs)
 [![CI](https://github.com/dreamlab-ai/solid-pod-rs/actions/workflows/ci.yml/badge.svg)](https://github.com/dreamlab-ai/solid-pod-rs/actions/workflows/ci.yml)
@@ -38,8 +38,8 @@ The Rust implementation originates from
 scratch); JSS is read as a reference-only resource for Solid
 Protocol behaviour. See [`NOTICE`](./NOTICE) §"Licence relationship
 to JavaScriptSolidServer (JSS)" for the full independence claims
-and the rationale for MIT/Apache-2.0 dual licensing despite JSS
-being AGPL.
+and the rationale for AGPL-3.0-only licensing inherited from the
+JSS ecosystem covenant.
 
 Upgrade from `alpha.1` → `alpha.2` is safe with zero API or
 behavioural deltas.
@@ -90,8 +90,8 @@ all of them.
    (path: `community-forum-rs/crates/pod-worker`). Community-forum-
    specific code (forum thread integration, Cloudflare Workers
    bindings, R2 specifics, CF-KV) was factored out during the
-   VisionClaw port. The licensed work is re-released under
-   MIT OR Apache-2.0 by the copyright holders.
+   VisionClaw port. The lineage is AGPL-3.0 throughout and the
+   licence is preserved here unchanged.
 
 3. **Design follows JavaScriptSolidServer (JSS)** — the
    reference JavaScript implementation at
@@ -115,10 +115,10 @@ all of them.
    overall stewardship of the Solid project. LDP is a W3C
    Recommendation. NIP-98 is a specification of the Nostr community.
 
-5. **Licence** — MIT OR Apache-2.0 dual-licence per Rust ecosystem
-   convention. This is compatible with (and deliberately not more
-   restrictive than) CSS's MIT licence; it is also compatible with
-   downstream AGPL-3.0 consumers that re-license.
+5. **Licence** — AGPL-3.0-only, inherited from the JavaScriptSolidServer
+   ecosystem covenant. solid-pod-rs preserves the network-service
+   copyleft protection JSS established; see §"Licence" below for the
+   operational consequences.
 
 See [`NOTICE`](./NOTICE) for the complete provenance record.
 
@@ -747,29 +747,28 @@ General Solid project:
 
 ## Licence
 
-Dual-licensed under either of:
+**AGPL-3.0-only** — inherited from the JavaScriptSolidServer ecosystem
+covenant.
 
-- MIT licence ([`LICENSE-MIT`](./LICENSE-MIT) or
-  <https://opensource.org/licenses/MIT>)
-- Apache Licence, Version 2.0 ([`LICENSE-APACHE`](./LICENSE-APACHE)
-  or <https://www.apache.org/licenses/LICENSE-2.0>)
+This means: if you operate solid-pod-rs as a network-accessible service,
+AGPL §13 requires you to make the corresponding source code available to
+your users under AGPL-3.0 or later. See [`LICENSE`](./LICENSE) and
+[`NOTICE`](./NOTICE) for full terms and provenance.
 
-at your option. This matches Rust ecosystem convention.
+If AGPL-3.0 is incompatible with your project's licence strategy, consider:
+- Contributing upstream rather than hard-forking
+- Using the crate in a sidecar architecture where AGPL obligations are
+  contained to the sidecar process
+- Running JSS itself (same licence; different language)
 
-JSS (the JavaScriptSolidServer reference) is licensed AGPL-3.0-only.
-solid-pod-rs is NOT a derivative work of JSS's JavaScript source, so
-the MIT/Apache-2.0 dual licensing is deliberate and consistent. See
-[`NOTICE`](./NOTICE) §"Licence relationship to JavaScriptSolidServer
-(JSS)" for the full rationale. Consumers bundling both solid-pod-rs
-and JSS together must verify their own compliance with AGPL-3.0's
-network-service clause for JSS.
+We welcome issues + PRs asking about specific compatibility scenarios.
 
 Unless you explicitly state otherwise, any contribution intentionally
-submitted for inclusion in the work by you, as defined in the
-Apache-2.0 licence, shall be dual licensed as above, without any
-additional terms or conditions.
+submitted for inclusion in the work by you shall be licensed under the
+same AGPL-3.0-only terms, without any additional terms or conditions.
 
-See [`NOTICE`](./NOTICE) for attribution details.
+See [`NOTICE`](./NOTICE) for attribution details and the full provenance
+chain.
 
 ---