Terms of Service The Rules

Other platforms bury their rules in 47 pages of legalese that protect the corporation and bind the user. We don't have a corporation.

These are the actual rules of how this ecosystem works. Read them in two minutes. Disagree? Fork it. It's open source.

01 The Traffic Light

Every package on GrafHub has a trust signal. It is not assigned by us – it is computed from the network. Your reputation, your vouches, your proof. Nobody at GrafHub flips a switch. The math does.

Green

Battle-tested. Multiple attestations. Build proof verified. The community trusts this package.

age > 30d · users ≥ 10 · dependents ≥ 3
publisher score ≥ 40 · has proof

Yellow

Actively maintained, gaining traction. A few attestations. Proof exists. Proceed with confidence.

age > 7d · users ≥ 2 · has proof

Orange

New or unproven. No vouches yet. This is where every package starts. Earn your way up.

default · fresh upload · no attestations

Red

Flagged. Betrayal detected, malware found, or trust revoked. Do not install.

manually flagged · malware detection

02 How You Earn Green

Nobody assigns trust. You build it. Ship code, include build proof, get vouched. The traffic light is a function of your behaviour – not your payment status.

STEP 1

Generate your Soul Key

graf key generate
STEP 2

Publish with build proof

graf release create 1.0.0 --run-tests
STEP 3

Get vouched by peers

graf vouch grf:a8b7c9d2
STEP 4

Traffic light upgrades automatically

orange → yellow → green

03 What You Get

Green unlocks graf-ops – the orchestration engine that replaces Jira, Jenkins, and Linear. No signup, no trial period, no "contact sales". Your code earned it.

graf-ops basic

Green Light

Free – earned by shipping code

  • Intent ingestion – bugs, features, feedback
  • Automated triage & classification
  • Repo-scoped rules engine
  • Board, timeline, and stats views
  • Full CAS provenance chain
  • Self-hosted, federated, sovereign
graf-ops sovereign

Sovereign Tier

Paid – for teams that run production

  • Everything in Basic
  • Agent dispatch & autonomous execution
  • Multi-chapter coordination
  • Full traceability & audit trail
  • Compliance dashboards
  • Autonomy graduation (executor → contributor → sovereign)
  • Advanced LLM classifier with SLA
  • Priority federation peering
  • Managed hosting option

04 The Contract

These are not aspirations. These are invariants. If we break them, the code is open source – fork it and run your own.

  1. Your keys, your identity. Ed25519 Soul Key is generated on your machine. We never see your private key. We never will. There is no password reset because there is no password.
  2. No training on your code. Your repositories are not training data. Not for us, not for partners, not for anyone. This is not a policy – it is an architectural impossibility. We run edge workers, not GPU farms.
  3. No KYC, no signup forms. Your Soul Key is your account. graf key generate is the entire onboarding flow.
  4. Trust is computed, not assigned. The traffic light algorithm is deterministic and open source. Nobody at GrafHub promotes or demotes packages manually. The formula is in the code. Read it.
  5. Sovereignty is non-negotiable. Every feature of graf-ops Basic works self-hosted. You can run your own GrafHub node. Federation is a protocol, not a product.
  6. The index is free forever. Package manifests, version metadata, and the registry index will never be paywalled. You pay for artifact storage and enterprise governance – not for the right to exist in the ecosystem.
  7. Anti-gaming is structural. Self-vouching is detected and excluded. Score-zero keys generate no trust signal. Sybil resistance is built into the reputation math, not enforced by moderators.
  8. Open source, always. Graf, graf-ops, and the traffic light algorithm are LCL-1.0 licensed. The code is the contract. If we ever betray these rules, the code remains.

05 Why We Exist

You already know why. We just have the receipts.

They trained Copilot on your code

Microsoft took every public repo -- including GPL-licensed code -- and fed it into a commercial AI product. No consent. No attribution. No shame.

They comply with every takedown

DMCA. Government requests. Corporate pressure. Your repo can vanish overnight because a lawyer sent an email. Centralized hosting means centralized censorship.

They own your dependency graph

GitHub + npm + VS Code + Copilot = one company controls how you write, publish, discover, and install code. That's not an ecosystem -- it's a walled garden.

That's it. No appendix. No amendments. No arbitration clause.

graf key generate → graf release create 1.0.0 → graf release publish
Start publishing Explore graf-ops