Open-Core Model

sos-vault appliance is open core: the entire source tree is published under the GNU Affero General Public License v3.0 or later, and a small set of features is gated behind a paid license that funds continued development. Read this document if you want to know exactly where that line sits and what you get on each side of it.

The open-core baseline (free forever)

A fresh install with no license file uploaded gives you:

  • One admin user — the account planted by the installer. The Filament Create User action is hidden and the User::creating() model hook refuses additional rows.
  • A plain vault directory — default /vault, editable from Disk Manager. Not LUKS-encrypted. Provisioned by sos-vault:ensure-plain-vault on first boot.
  • Mail SMTP configuration so the single admin can receive password-reset email.
  • The full sosreport import / analysis pipeline that is the core value of the product. Upload, decrypt, browse, annotate, export — all of this works on the baseline.
  • Local AI Assistant using the bundled Ollama model (the AI Assistant settings page is gated; the runtime is not).
  • This documentation served at /blog/standalone/*.

What a license unlocks

Installing a valid signed .lic file via Manage License unhides:

  • Multi-user up to the license's seat cap. The original admin is always permitted; additional Team Member users count against the seat budget.
  • Groups (teams) with admin-provisioned LUKS-backed shared vaults — one vault per group, all members share access.
  • Module installation via the Modules admin page.
  • ITSM integration — ServiceNow / Jira / Salesforce ticket creation and update.
  • Event Log — the full audit trail of vault open / close / expand / shrink, license install / expire, login blocks, group create / delete, and more.
  • AI Assistant settings page for switching providers or tuning the model.
  • Appliance Vaults settings for default new-group vault size.
  • Authentication settings page for sign-in providers and password rules.

How to get a license

  1. From the admin panel, open License.
  2. In the Request a License section, click Generate License Request. The appliance derives this host's machine tokens and shows a short key (prefixed SOSV1.); click Copy key.
  3. Visit sos-vault.com, sign in to your customer account, open Verify License Request, paste the key, and submit. The SaaS side validates the key and records the hardware tokens that will bind the issued license to this exact machine.
  4. Once verified, purchase a license (basic plan + N seats) via Paddle. On payment, the SaaS side mints a .lic file signed by the license-issuer key and bound to your server's hardware tokens.
  5. Download the .lic from your sos-vault.com Customer Portal → Licenses page.
  6. Back on the appliance, in the same License page, drop the .lic into the Install License uploader and click Install. The signature is verified locally against the appliance's public keyring, the machine tokens are matched, and the license is persisted. Every gated surface reappears on the next page load.

What happens when the license expires

The expiry check runs on every request via LocalLicense::current() and once daily via sos-vault:check-license-expiry (which fires a single LICENSE_EXPIRED event the first time it sees a freshly expired license).

Once the license has lapsed:

  • The gated UI surfaces re-hide.
  • Non-admin users are logged out at the next request by the BlockUnlicensedNonAdmin middleware and redirected to the login screen with a friendly "license expired" flash. The OPEN_CORE_DEGRADED_LOGIN_BLOCKED event records each blocked attempt.
  • The admin can still sign in to renew the license.
  • Existing extra users and groups remain in the database untouched. Renewing the license restores access with zero data loss; you can also re-install the same expired license file after extending the term and the rows that were dormant simply come back.

Why open core

Security tooling has a high trust bar. We believe operators should be able to read every line of code that runs on their data plane, audit the encryption and licensing logic, and run the product behind any firewall without ever calling home. The AGPLv3 license guarantees that — including for anyone who forks sos-vault and runs it as a hosted service.

The paid tier funds continued development, sosreport plugin authorship, security review, and the SaaS minting infrastructure. There is no closed-source binary: the gate between "free" and "paid" is a cryptographic signature verification, not a license-only DLL. Every line of app/Services/LocalLicenseService.php, app/Services/MachineTokenService.php, and the helper scripts that derive host machine tokens is in the public repository under the same AGPL license as the rest of the code.

Source repository

The public mirror is published from this same source tree minus the SaaS-only paths (marketing pages, Paddle integration, license-minting service). See scripts/opencore-deny-list.txt for the full exclusion list, and .github/workflows/publish-opencore.yml for the publishing pipeline.