Open-Core Model
GuardSpine uses an open-core model. The evidence format, verification tools, connectors, and SDKs are open source under Apache 2.0. The governance engine, council system, and cloud platform are proprietary. This page explains exactly where the line is drawn and why.
What's Open (Apache 2.0)
These components are free to use, modify, and redistribute under the Apache 2.0 license. No license key required. No telemetry. No expiration.
- FORMAT Evidence bundle JSON schema and specification
- VERIFY Offline verification of hash chains, root hashes, content hashes, and signatures
- CONNECT Connector template and interface for building integrations with any source system
- CI/CD GitHub Actions and CI pipeline integrations
- SDK Python and TypeScript SDKs for creating and reading bundles
What's Premium (Proprietary)
These components require a commercial license. They provide the governance logic, multi-party approvals, and operational tooling that enterprises need.
- ENGINE Governance engine with L0-L4 risk tiers, guard lanes, and nomotic rules
- COUNCIL AI council system with Byzantine consensus for multi-party review
- CLOUD Multi-tenant SaaS platform with dashboards and analytics
- ENTERPRISE SSO, audit exports, compliance reporting, on-prem deployment
Why This Split
Evidence bundles are the unit of trust in GuardSpine. If you cannot verify a bundle without our permission, the system has a single point of failure. That is unacceptable for a governance product.
So we made verification unconditionally open. Anyone can check any bundle, anytime, with no network connection and no license. The format is documented, the schemas are published, and the verification code is Apache 2.0.
The premium components handle orchestration: deciding what gets reviewed, routing approvals through risk tiers, running AI council debates, and providing operational dashboards. These are the features that require ongoing engineering and support, and they fund the continued development of the open-source components.
OSS Boundary Rules
These rules govern what stays open source. They are commitments, not guidelines.
| Rule | Commitment |
|---|---|
| R0 | Evidence bundle format and schemas are always open. |
| R1 | Offline verification of any bundle is always open. |
| R2 | Connector interfaces and templates are always open. |
| R3 | CI/CD integrations (GitHub Actions, GitLab CI) are always open. |
| R4 | SDKs for creating and reading bundles are always open. |
| R5 | The governance engine, council logic, and guard lanes are premium. |
| R6 | Cloud hosting, dashboards, analytics, and enterprise features are premium. |
Repository Map
Open Source
| Repository | Description | License | |
|---|---|---|---|
| guardspine-kernel | Offline evidence bundle verification with timing-safe comparisons | Apache 2.0 | View on GitHub |
| guardspine-verify | Offline evidence bundle verification CLI | Apache 2.0 | View on GitHub |
| guardspine-spec | Evidence bundle specification and JSON schemas | Apache 2.0 | View on GitHub |
| guardspine-connector-template | Connector boilerplate for source systems | Apache 2.0 | View on GitHub |
| guardspine-local-council | Local LLM council for offline artifact review via Ollama | Apache 2.0 | View on GitHub |
| guardspine-adapter-webhook | Webhook adapter for evidence bundle delivery to Slack, Teams, Discord, and custom endpoints | Apache 2.0 | View on GitHub |
| rlm-docsync | Self-updating documentation with evidence proofs | Apache 2.0 | View on GitHub |
| n8n-nodes-guardspine | n8n community nodes for AI governance workflows | Apache 2.0 | View on GitHub |
Premium
| Repository | Description | License | |
|---|---|---|---|
| guardspine-product | Core governance engine, council system, guard lanes | Proprietary | Contact for Enterprise |
| guardspine-cloud | Multi-tenant SaaS platform, dashboards, analytics | Proprietary | Contact for Enterprise |
| guardspine-enterprise | SSO, audit exports, compliance reporting | Proprietary | Contact for Enterprise |
FAQ
Can I verify bundles without paying?
Yes. guardspine-verify is Apache 2.0. You can verify any evidence bundle offline, forever, with no license key.
Can I build my own connectors?
Yes. The connector template and SDK are open source. Build connectors for any system you want.
What happens if GuardSpine the company disappears?
Your evidence bundles remain verifiable. The verification tool, schemas, and SDKs are Apache 2.0. They do not phone home.
Can I self-host the governance engine?
The governance engine is proprietary. Contact us for on-premise licensing options.
Will open-source components ever become proprietary?
No. Once released under Apache 2.0, that version stays Apache 2.0. We follow the boundary rules (R0-R6) listed on this page.
Do I need the premium product to get value from GuardSpine?
Depends on your needs. If you just need verifiable evidence trails for CI/CD, the open-source tools are enough. If you need multi-party governance, council reviews, risk-tiered approval flows, or dashboards, you need the premium product.