Open-Core Model
sos-vault appliance is open core: the entire source tree is published under the GNU Affero General Public License v3.0 or later, and a small set of features is gated behind a paid license that funds continued development. Read this document if you want to know exactly where that line sits and what you get on each side of it.
The open-core baseline (free forever)
A fresh install with no license file uploaded gives you:
- One admin user — the account planted by the
installer. The Filament Create User action is hidden and the
User::creating()model hook refuses additional rows. - A plain vault directory — default
/vault, editable from Disk Manager. Not LUKS-encrypted. Provisioned bysos-vault:ensure-plain-vaulton first boot. - Mail SMTP configuration so the single admin can receive password-reset email.
- The full sosreport import / analysis pipeline that is the core value of the product. Upload, decrypt, browse, annotate, export — all of this works on the baseline.
- Local AI Assistant using the bundled Ollama model (the AI Assistant settings page is gated; the runtime is not).
- This documentation served at
/blog/standalone/*.
What a license unlocks
Installing a valid signed .lic file via Manage License
unhides:
- Multi-user up to the license's seat cap. The original admin is always permitted; additional Team Member users count against the seat budget.
- Groups (teams) with admin-provisioned LUKS-backed shared vaults — one vault per group, all members share access.
- Module installation via the Modules admin page.
- ITSM integration — ServiceNow / Jira / Salesforce ticket creation and update.
- Event Log — the full audit trail of vault open / close / expand / shrink, license install / expire, login blocks, group create / delete, and more.
- AI Assistant settings page for switching providers or tuning the model.
- Appliance Vaults settings for default new-group vault size.
- Authentication settings page for sign-in providers and password rules.
How to get a license
- From the admin panel, open License.
- In the Request a License section, click Generate
License Request. The appliance derives this host's machine
tokens and shows a short key (prefixed
SOSV1.); click Copy key. - Visit sos-vault.com, sign in to your customer account, open Verify License Request, paste the key, and submit. The SaaS side validates the key and records the hardware tokens that will bind the issued license to this exact machine.
- Once verified, purchase a license (basic plan + N seats) via
Paddle. On payment, the SaaS side mints a
.licfile signed by the license-issuer key and bound to your server's hardware tokens. - Download the
.licfrom your sos-vault.com Customer Portal → Licenses page. - Back on the appliance, in the same License page, drop the
.licinto the Install License uploader and click Install. The signature is verified locally against the appliance's public keyring, the machine tokens are matched, and the license is persisted. Every gated surface reappears on the next page load.
What happens when the license expires
The expiry check runs on every request via
LocalLicense::current() and once daily via
sos-vault:check-license-expiry (which fires a single
LICENSE_EXPIRED event the first time it sees a freshly
expired license).
Once the license has lapsed:
- The gated UI surfaces re-hide.
- Non-admin users are logged out at the next request by the
BlockUnlicensedNonAdminmiddleware and redirected to the login screen with a friendly "license expired" flash. TheOPEN_CORE_DEGRADED_LOGIN_BLOCKEDevent records each blocked attempt. - The admin can still sign in to renew the license.
- Existing extra users and groups remain in the database untouched. Renewing the license restores access with zero data loss; you can also re-install the same expired license file after extending the term and the rows that were dormant simply come back.
Why open core
Security tooling has a high trust bar. We believe operators should be able to read every line of code that runs on their data plane, audit the encryption and licensing logic, and run the product behind any firewall without ever calling home. The AGPLv3 license guarantees that — including for anyone who forks sos-vault and runs it as a hosted service.
The paid tier funds continued development, sosreport plugin
authorship, security review, and the SaaS minting infrastructure.
There is no closed-source binary: the gate between "free" and "paid"
is a cryptographic signature verification, not a license-only DLL.
Every line of app/Services/LocalLicenseService.php,
app/Services/MachineTokenService.php, and the helper scripts
that derive host machine tokens is in the public repository under the
same AGPL license as the rest of the code.
Source repository
The public mirror is published from this same source tree minus the
SaaS-only paths (marketing pages, Paddle integration, license-minting
service). See scripts/opencore-deny-list.txt for the full
exclusion list, and .github/workflows/publish-opencore.yml
for the publishing pipeline.