ADR-012: AGPL v3 + Commercial Dual License

Status: Accepted Date: 2026-03-17

Context

OpenLatch is designed as a universal open source reference implementation (ADR-000). Before the project attracts external contributors, the license must be decided. Three goals are in tension:

1. Community use: hackerspaces, makerspaces, and community spaces should be able to deploy OpenLatch freely, inspect the code, and contribute improvements back.
2. Copyleft reciprocity: a company should not be able to take the codebase, make minor changes, and sell it as a proprietary product without contributing back.
3. Commercial opportunity: the project maintainers should be able to offer a paid product (managed backend service, supported hardware bundles, enterprise SLA) without being blocked by the community license.

Once third-party contributions are accepted without a Contributor License Agreement (CLA), dual licensing becomes legally impossible — each contributor's code is locked into whatever license governed it at the time of contribution. The license decision and CLA process must therefore be in place before any external PRs are merged.

Decision

Community license: GNU Affero General Public License v3.0 (AGPL-3.0)

AGPL-3.0 is the standard choice for open-source projects using a commercial dual-license model. It is used by MongoDB, Grafana, Nextcloud, Mastodon, and many others in the same position.

Why AGPL, not GPL: The OpenLatch backend is a web service. GPL has a well-known loophole: running modified code as a network service does not constitute "distribution," so source disclosure is not required. A competitor could fork the backend, run it as a managed service for paying customers, and never release a line of code. AGPL closes this loophole — any party offering a modified version as a network service must make the complete source available to the users of that service.

What AGPL requires: - Anyone who distributes software incorporating OpenLatch (e.g., sells a hardware bundle with the firmware) must provide the complete corresponding source under AGPL-3.0. - Anyone who runs a modified version as a network service must make their modifications available to users of that service. - Self-hosting, modification, and internal use are unrestricted.

What AGPL does not restrict: - Community spaces using OpenLatch for their own door — completely free. - Organisations hosting their own installation — completely free. - Developers contributing improvements — completely free.

Commercial license: separate paid agreement

Organisations that cannot or will not comply with AGPL may obtain a commercial license from the maintainers. Typical customers:

• Hardware manufacturers embedding the firmware in a proprietary product without releasing their modifications.
• Companies offering a managed access-control service without disclosing their backend.
• Enterprises requiring warranty, SLA, or legal indemnification.

The commercial license is a private contract that grants all AGPL rights plus permission to keep modifications proprietary and to sublicense to end customers. It is the revenue model that funds continued development of the open source core.

Contributor License Agreement (CLA): license grant model

Dual licensing only works if the project owner can legally include all contributions in commercial releases. This requires either copyright ownership of every contribution, or an explicit sublicensing right from each contributor.

The chosen model is a license grant (not copyright assignment): contributors retain copyright but grant the maintainers a perpetual, irrevocable, sublicensable license to use their contributions under any license, including commercial ones. This is the same model used by Google, the Apache Software Foundation, and others. It is less philosophically contentious than full copyright assignment while achieving the same practical result for dual licensing.

The CLA is documented in CLA.md. Signing is done by comment on a pull request. Automated enforcement via CLA Assistant may be added later.

Until the CLA process is operational, no external contributions may be merged.

Same license for firmware and backend

Both the ESP32 firmware and the Python/FastAPI backend are licensed under AGPL-3.0. Splitting them (e.g., firmware under GPL, backend under AGPL) would add complexity for no practical benefit at this stage and create confusion for contributors.

Consequences

• Community spaces, hackerspaces, and individuals can deploy and modify OpenLatch freely under AGPL-3.0.
• A competitor running a modified version as a managed service must either release their changes or purchase a commercial license — they cannot build a closed product for free.
• The maintainers can offer a commercial product (managed backend, hardware bundles, enterprise support) under a separate paid license.
• External contributions require CLA sign-off before merging; the CLA process must be set up before the first external PR is accepted.
• The LICENSE file at the repository root contains the full AGPL-3.0 text.
• COMMERCIAL_LICENSE.md explains the commercial offering and provides a contact path.
• CLA.md contains the contributor agreement text.

See also

• LICENSE — full AGPL-3.0 text
• COMMERCIAL_LICENSE.md — commercial licensing notice
• CLA.md — Contributor License Agreement
• ADR-000 — universal open source project goals
• CLA Assistant — automated CLA enforcement tool