@3030-labs/wotw 0.8.4

package/CHANGELOG.md

@@ -0,0 +1,312 @@
+# Changelog
+
+All notable, user-visible changes to `@3030-labs/wotw` are documented in this
+file. Internal closure documents (`PASS-*.md`, `SHIP-V*.md`, `REVIEW-*.md`)
+are referenced for traceability but not enumerated here.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/);
+this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+Until 1.0, minor-version bumps may carry breaking changes; patch bumps are
+always non-breaking.
+
+---
+
+## [0.8.4] — 2026-05-26 — Public-launch readiness (PASS-023)
+
+### Added
+- **README rewrite** for first-time visitors: tagline, 5-line install,
+  30-second quickstart with concrete output. Deeper feature copy moved
+  to [`docs/`](docs/).
+- **Install evidence on 4 platforms** committed under
+  [`docs/install-evidence/`](docs/install-evidence/): macOS arm64,
+  macOS amd64, Linux amd64, Windows amd64. Each carries a passing
+  terminal log of `npm install → wotw init → ingest → wiki update`.
+- **`docs/self-hosted-byok.md`** — where the Anthropic / OpenAI / Gemini
+  key goes, failure modes (missing / invalid / rate-limited), rotation
+  procedure for self-hosted users.
+- **`docs/llm-provider-auto-resolution.md`** — why Pass B fact extraction
+  defaults off under metered API providers (Anthropic / OpenAI / Gemini)
+  and on under cost-free runtimes (Claude Code CLI subscription / Ollama),
+  with the config override (`fact_extraction.force_enabled`).
+- **`docs/pack-format-daemon.md`** — daemon-side wire format for the
+  Compliance Pack consumed by the customer-side
+  [`wotw-verify`](https://github.com/3030-Labs/wotw-verify) binary.
+  Marketplace semantics explicitly out of scope.
+- **`docs/telemetry.md`** + opt-in BYO-DSN Sentry breadcrumbs on `wotw init`
+  failures. **Disabled by default.** No 3030 Labs DSN embedded; users
+  provide their own Sentry project via `WOTW_TELEMETRY_DSN`.
+- **`LICENSE-NOTICES.md`** — AGPL-3.0 in plain English (derivative work,
+  network-use clause, wotw-cloud boundary, fork rules). Attorney-disclaimable.
+- **`.github/ISSUE_TEMPLATE/*.yml`** — bug_report, feature_request, question
+  as GitHub issue forms. Security disclosures routed to `SECURITY.md`.
+- **Error-message audit on 10 unhappy paths** — every one now emits a
+  loud, actionable error with the user's next step, not a stack trace.
+  Paths: missing `OBSIDIAN_VAULT_PATH`, malformed config, native-binding
+  load failure on `better-sqlite3`, invalid Anthropic key (401),
+  rate-limited Anthropic (429), missing wiki-dir permissions, locked
+  vault file, port conflict, daemon already running, `wotw init` against
+  a non-empty vault.
+
+### Changed
+- **`CONTRIBUTING.md`** rewritten to centre AGPL implications, the DCO
+  sign-off requirement (Developer Certificate of Origin), and the 7-gate
+  shipping discipline.
+- **`SECURITY.md`** updated SLA (5 business days acknowledgment, 30
+  calendar days fix-or-disclosure for high-severity), and adds explicit
+  safe-harbor language for good-faith researchers.
+- **`package.json`** metadata: homepage points to wotw.dev, keywords
+  expanded for npm discovery, `SECURITY.md` + `CHANGELOG.md` +
+  `LICENSE-NOTICES.md` now ship in the tarball.
+
+### Fixed (operator dogfood batch)
+- **`wotw status` provenance-record count** read 0 against a populated
+  chain (double-prefixed the already-absolute chain path). Now correct.
+- **`wotw start --foreground`** ran a subsystem-less stub daemon; now
+  spawns the same fully-wired daemon as detached mode, with live logs
+  on the terminal.
+- **Claude Code CLI 401** (not logged in) now surfaces a loud, actionable
+  "run `claude /login`" error instead of a silent skipped batch.
+- **`wotw approve` / `wotw reject`** now accept a leading `candidates/`
+  path prefix (matches the `wotw candidates` + `wotw audit` display).
+- **`wotw init`** no longer prints a misleading "Cancelled." when you
+  press Escape on the optional post-scaffold "Open in Obsidian?" prompt.
+- **README + docs** corrected: candidates → approve → wiki flow made
+  explicit; from-source install uses `npm install -g .` (not the broken
+  `pnpm link --global`); init-walkthrough layout matches the real scaffold.
+
+### Verification
+- 7 build gates green at HEAD.
+- **935 tests** across the unit / integration / e2e tiers.
+- Operator dogfood (24 findings, 10 fixed this pass): see
+  `PASS-023-DOGFOOD-FINDINGS.md`.
+- See `PASS-023-DAEMON-PUBLIC-READINESS.md` for the full closure trail.
+
+> **Not yet on npm.** v0.8.4 is built + committed but publish is deferred
+> to a follow-up pass gated on the DriftVane → 3030-Labs org migration.
+> Install from source per the README until then.
+
+---
+
+## [0.8.3] — 2026-05-25 — KEK rotation + DEK auto-archive
+
+### Added
+- **KEK rotation** (`wotw keys rotate-kek`): generates a new KEK,
+  re-wraps every active and rotating DEK, archives the previous KEK
+  metadata. Revoked DEKs are deliberately skipped (compliance: revoked
+  material stays revoked).
+- **DEK auto-archive cron**: configurable schedule under
+  `keys.auto_archive` rolls DEKs from `rotating` → `archived` after a
+  retention window expires.
+- **`docs/policies/dek-rotation.md`** — operator runbook for both
+  manual and scheduled rotation.
+
+### Verification
+- See `PASS-019-G5-COMPLETION.md`. CT1.01 (operationally complete) +
+  G5 substrate signoff.
+
+---
+
+## [0.8.2] — 2026-05-24 — G5 end-to-end attestation substrate
+
+### Added
+- **Workspace-key substrate** (`workspace_keys.db`) under
+  `~/.wotw/<tenant>/keys.db`. Active + rotating + archived DEK lifecycle
+  states. Hex-encoded encrypted-DEK / nonce / auth-tag columns mirror
+  the daemon-cloud wire format.
+- **HMAC-SHA256 attestation** field on provenance records: every chain
+  entry now carries (optionally) an HMAC under the active DEK,
+  enabling offline verification of (record content × key custody)
+  without disclosing the DEK itself.
+- **`key_id` propagation** in ProvenanceRecord (canonical-payload
+  EXCLUDED — see [`docs/provenance.md`](docs/provenance.md)). New
+  optional field stored on record for verification routing, not in the
+  canonical id hash, preserving backward-compatibility with pre-G5
+  daemons.
+
+### Security
+- Tenant-managed DEKs never persist as plaintext beyond the
+  in-memory KeyStore window.
+- KEK plaintext is never logged.
+
+### Verification
+- See `PASS-018-G5-CLOSURE.md`. Closes CT1.01 (partial → done) and
+  unblocks every downstream CT1.x – CT5.x checklist item.
+
+---
+
+## [0.8.1] — 2026-05-22 — better-sqlite3 native-binding fix
+
+### Fixed
+- **Docker image native-binding mismatch**: `better-sqlite3` was being
+  copied from a host build into the runtime image, leading to
+  `node-gyp` / glibc symbol mismatches at first DB-open. The Dockerfile
+  now runs `pnpm rebuild better-sqlite3` against the runtime base image
+  and exercises the resulting binding end-to-end as a build-time gate.
+  Closes the "first cloud-side spawn" failure pattern.
+
+### Added
+- **`scripts/docker-native-rebuild-verify.sh`** — invoked by the
+  Dockerfile build stage; refuses to ship if the binding fails to load.
+
+### Verification
+- See `SHIP-V0.8.1.md`.
+
+---
+
+## [0.8.0] — 2026-05-19 — Pass B fact-level retrieval + G5 scaffolding
+
+This release bundled two substantive workstreams. Version skipped 0.5 –
+0.7 to converge on a single shippable image; commits internally
+identified Pass A as v0.7.0 and Pass B as v0.8.0.
+
+### Added — Context-efficiency Pass B (fact-level retrieval)
+- **`query_facts`** MCP tool: BM25-fused retrieval over atomic
+  `(entity, statement)` pairs + synthetic questions extracted at
+  ingestion. **80%+ token reduction** vs page-level retrieval on
+  atomic-question benchmark fixtures. See
+  [`docs/mcp-tools.md`](docs/mcp-tools.md) and
+  [`CONTEXT-EFFICIENCY-PASS-B.md`](CONTEXT-EFFICIENCY-PASS-B.md).
+- **`source_layer`** response field on `define` / `relate` /
+  `cite_sources` — clients can see whether a hit came from the fact
+  layer or the page layer.
+- **`fallback: "page-level"`** signal when the fact layer is disabled —
+  Pass-A clients route to `query_progressive` automatically without
+  manual config.
+- **`wotw facts reindex`** — populate the fact layer over an existing
+  wiki. Budget-gated, idempotent.
+- **`fact_extraction.force_enabled`** config knob — see
+  [`docs/llm-provider-auto-resolution.md`](docs/llm-provider-auto-resolution.md)
+  for the auto-resolution rationale.
+
+### Added — Context-efficiency Pass A (progressive + structural retrieval)
+- **`query_progressive`** MCP tool: smallest-viable-answer-first
+  retrieval. Tier-0 (top hit's lede) is ~100-300 tokens with a
+  continuation token for expand-on-signal. **86-99% token reduction**
+  vs the legacy `query` payload. See
+  [`CONTEXT-EFFICIENCY-PASS-A.md`](CONTEXT-EFFICIENCY-PASS-A.md).
+- **`estimate_query_cost`** — pre-flight token estimate so clients
+  know what a retrieval will cost before committing.
+- **`define` / `relate` / `cite_sources`** — narrow structural
+  retrieval primitives at 256 / 768 / 512 token caps.
+
+### Added — G5 scaffolding
+- Provenance-record HMAC field landed as optional (substrate-only,
+  not yet exercised end-to-end — that's v0.8.2). Forward/backward-
+  compatible canonical-payload-exclusion: old daemons compute identical
+  id+chain_hash with the new field present-but-ignored.
+
+### Verification
+- See `SHIP-V0.8.0.md`, `CONTEXT-EFFICIENCY-PASS-A.md`,
+  `CONTEXT-EFFICIENCY-PASS-B.md`.
+
+---
+
+## [0.4.0] — 2026-05-15 — Multi-LLM provider closure
+
+### Added
+- **Anthropic provider** (the existing built-in, formalized as a
+  pluggable provider with config-driven dispatch).
+- **OpenAI provider** (Phase 007): GPT-4o + GPT-4o-mini, ingestion
+  + query parity.
+- **Gemini provider** (Phase 008): gemini-1.5-pro + gemini-1.5-flash,
+  ingestion + query parity.
+- **Ollama provider** (Phase 009): local-model dispatch over HTTP,
+  free runtime tier.
+- **Per-tenant provider config** (Phase 010): each tenant selects a
+  primary provider + optional fallback chain. `wotw.config.yaml`
+  carries `llm.providers[]` with role-typed entries.
+
+### Changed
+- **`queue.ts`** main ingestion path refactored to single-pass dispatch
+  (Phase 006) — highest-risk regression surface; full Phase A regression
+  suite green.
+- **`heal-handlers`** likewise refactored to single-pass JSON-edit
+  pipeline (Phase 005).
+
+### Verification
+- See `MULTI-LLM-PHASE-A.md`, `FEATURE-PASS-005.md` through
+  `FEATURE-PASS-010.md`.
+
+---
+
+## [0.2.x] — 2026-04-12 to 2026-05-09 — Patch releases
+
+Hosted-mode fixes, MCP entrypoint correction (`entry.js` vs
+`wotw start --foreground`), Fly-registry caching workaround,
+`pathToClaudeCodeExecutable` resolution. Tags: `v0.2.3` through
+`v0.2.8`.
+
+---
+
+## [0.2.0] — 2026-04-12
+
+### Features
+- **Interactive init wizard** (`wotw init`): 7-step @clack/prompts
+  wizard with Obsidian vault auto-detection, overlay support, and
+  optional vault launch.
+- **Knowledge health system**: 5-factor quality scoring (staleness,
+  source availability, link health, duplicate risk, contradiction risk)
+  with configurable weights and thresholds.
+- **Auto-healing** (`wotw lint --fix`): 5 heal handlers (stale pages,
+  duplicates, broken links, missing backlinks, contradictions) with
+  budget pre-flight, per-run caps, and provenance records.
+- **Deletion handling**: archive provenance type for removed source
+  files; orphaned wiki pages get `status: orphaned` frontmatter
+  instead of deletion.
+- **Lint scheduler**: optional background lint runs via
+  `lint.schedule_enabled` config with configurable interval.
+- **Dead-letter queue**: JSONL ledger for failed batches, surfaced
+  in `wotw status` and `get_stats` MCP tool.
+- **`wotw logs` command**: tail daemon log with `-f`/`--follow` and
+  rotation detection.
+- **Retrieval hardening**: LLM-powered query expansion, richer YAML
+  metadata extraction, query-performance metrics logging, and
+  consolidated search results.
+- **Candidates workflow**: human review queue with `wotw approve`,
+  `wotw reject`, `wotw candidates`. Superseded-candidate detection
+  on re-ingestion.
+
+### Security
+- Timing-safe token comparison via `crypto.timingSafeEqual` for
+  legacy single-token auth.
+- Canonical path validation (`resolveWikiPath`) rejects directory
+  traversal.
+- No-auth safety rail refuses MCP server start on non-loopback host
+  without auth configured.
+- Eager provenance hashing eliminates lazy end-of-batch race window.
+- Credential redaction (9 patterns) applied to all wiki content
+  before storage.
+
+### Quality
+- 446 tests across 51 files (up from 192 across 16 in 0.1.0).
+- Two independent adversarial audits all resolved.
+
+---
+
+## [0.1.0] — 2026-03-15 — Initial release
+
+### Added
+- **Daemon lifecycle:** `wotw init`, `wotw start`, `wotw stop`,
+  `wotw status` with detached-child process model, PID/lock file
+  management, graceful shutdown.
+- **Watcher:** chokidar-backed file watcher with exponential backoff
+  debouncing.
+- **Ingestion pipeline:** Claude agent runner, wiki-writer
+  reconciliation, bidirectional link repair, index rebuild, search
+  re-index, git commit per batch.
+- **Wiki store:** categorized markdown pages with YAML frontmatter,
+  atomic writes, slug sanitization, path-safe IO.
+- **Search:** minisearch BM25 with title/tag boost.
+- **MCP server:** stateless streamable-HTTP exposing `search`,
+  `list_pages`, `read_page`, `query`, `get_index`, `get_stats`,
+  `related_pages`, `get_provenance_log`, `verify_provenance`,
+  `synthesize`. Rate limiting + bearer-token auth.
+- **Cost tracking:** per-operation and daily dollar budgets, hard
+  caps enforced before every LLM call.
+- **Provenance chain:** append-only SHA-256 chain of every
+  state-mutating operation. `wotw audit` walks the chain and reports
+  tampering.
+- **Multi-user authentication:** optional per-user bearer tokens
+  managed by `wotw user add | list | revoke`.
+- **Tests:** 192 across 16 files. **Docs:** README, architecture,
+  configuration, CLI, MCP, provenance, multi-user.

package/LICENSE

@@ -0,0 +1,36 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  For the full license text, see:
+  https://www.gnu.org/licenses/agpl-3.0.txt
+
+Copyright (C) 2026 3030 Labs LLC
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.

package/LICENSE-NOTICES.md

@@ -0,0 +1,199 @@
+# LICENSE-NOTICES
+
+> **This document is a plain-English summary of the licence on `wotw`.
+> It is NOT legal advice. The binding text is in [`LICENSE`](LICENSE).
+> When the two disagree, `LICENSE` wins. If you need a confident answer
+> for your situation, talk to an attorney who handles open-source licensing.**
+
+## TL;DR
+
+`watcher-on-the-wall` is licensed under **AGPL-3.0-or-later**.
+
+| If you're... | You can... | You must... |
+|---|---|---|
+| Running `wotw` on your own laptop for your own notes | Anything. Modify, embed, fork. | Nothing extra. The AGPL doesn't trigger. |
+| Running `wotw` inside your team / company as an internal tool | Anything. | Nothing extra. Internal use is not "distribution" or "remote interaction." |
+| Modifying `wotw` and shipping the binary to other people | Distribute the modified source under AGPL-3.0-or-later. | Make the modified source available to your distributees on request. |
+| Modifying `wotw` and offering it as a network service to outsiders | Run a modified version. | **Make the modified source available to every user who interacts with the service** (the AGPL §13 network-use clause). A download link in the UI is the minimum. |
+| Building a closed-source SaaS that wraps `wotw` | Use it as-is, unmodified, in a way that's clearly composable rather than entangled. | Read §13 carefully, OR get a commercial licence from 3030 Labs. |
+| Forking `wotw` for a competing product | Yes — that's what AGPL allows. | Keep it AGPL-3.0-or-later and ship source to your users. You may not relicense to MIT / BSD / proprietary. |
+
+## What AGPL-3.0-or-later actually requires
+
+The AGPL is the GPL plus one extra rule: **if you offer a modified
+version of the program over a network, the people interacting with it
+over that network are also entitled to receive the source code**.
+
+In practice this means:
+
+1. **Distribution triggers source-sharing.** If you give someone the
+   `wotw` binary (or a modified one), you must offer them the source,
+   under AGPL-3.0-or-later, on the same channel or by a clearly
+   advertised means (a public Git URL is fine).
+2. **Network use triggers source-sharing too.** If your modified
+   `wotw` answers an HTTP / MCP request from anyone outside the
+   organisation running it, that "anyone outside" is a user, and you
+   owe them source. This is the §13 clause and is the meaningful
+   difference between AGPL and GPL.
+3. **"At a distance" linking still triggers.** Loading `wotw` as a
+   library, importing it as a module, or calling into it via an
+   internal API does not let you escape the AGPL by claiming "we
+   only used the public interface." If your program's normal operation
+   requires `wotw` to function, the combined work is derivative.
+4. **The licence is one-way ratchet.** Code derived from AGPL `wotw`
+   cannot be relicensed under a more permissive licence by anyone
+   except the copyright holder (3030 Labs LLC). A fork that strips
+   the licence is invalid and unenforceable against your
+   downstream users.
+
+## What counts as a "derivative work"
+
+The boring legal answer: courts decide on a case-by-case basis.
+The practical answer:
+
+- **Definitely derivative**: you patched `src/`, you replaced a module,
+  you rebuilt the daemon with different defaults, you forked the repo
+  and renamed it.
+- **Definitely derivative**: you wrote a wrapper that statically
+  imports `@3030-labs/wotw` as an npm dependency and ships the result.
+- **Likely derivative**: your service spawns the `wotw` binary as a
+  subprocess and depends on its specific output format, and you
+  modified that format.
+- **Probably not derivative**: your service calls the unmodified
+  `wotw` MCP HTTP endpoint as one of many independent backend
+  services, the way you'd call any third-party API. Two arms-length
+  processes communicating over standard protocols are usually
+  separate works, but consult counsel if it matters.
+
+When in doubt: the safer reading is that it IS derivative, and the
+honourable thing is to ship source. If you don't want to ship source,
+ask for a commercial licence.
+
+## What counts as a "service"
+
+AGPL §13's network-use clause kicks in when "you modify the Program,
+your modified version must prominently offer all users interacting
+with it remotely through a computer network ... an opportunity to
+receive the Corresponding Source."
+
+- **Internal corporate tools** running `wotw` for company employees
+  only: typically not a §13 trigger. The users are not "remote" in
+  the licence's sense; they're the same organisation that's running
+  the daemon.
+- **Customer-facing SaaS** running `wotw` for paying customers: §13
+  triggers if you've modified `wotw`. Publish a source link on the
+  service's UI or in its docs.
+- **Public-facing free tool** (no auth, anyone-on-the-internet) running
+  `wotw`: §13 triggers if you've modified `wotw`. Same source link
+  obligation.
+- **An MCP endpoint serving your wiki to your own personal Claude
+  Code session**: not a §13 trigger. You're the only user, and you
+  have the source already.
+
+## Relationship to `wotw-cloud`
+
+3030 Labs also operates `wotw-cloud`, the control-plane service for
+managed `wotw` deployments. **`wotw-cloud` is NOT a derivative work
+of `wotw`** under our reading:
+
+- The daemon and the cloud are separate codebases at separate
+  repositories with separate licences.
+- The cloud calls the daemon over standard MCP / HTTP boundaries it
+  did not modify.
+- The cloud does not statically link, embed, or contain `wotw` source.
+- The two products are released independently and can be operated
+  independently.
+
+We share types and the chain-hash algorithm via **CI-enforced
+byte-identity vendoring** between repos so that the daemon's
+provenance chain is byte-identical with what the cloud emits. This is
+not a derivative-work relationship; it's a deliberate interface
+contract.
+
+If you fork `wotw` and want to build your own control plane, you
+have AGPL-3.0-or-later authority to do that — you're not constrained
+by 3030 Labs' commercial offering. The licence is symmetric.
+
+## What competitors can and can't do
+
+**You can:**
+- Fork the repo, rebrand it, and run it for your own customers.
+- Sell support / consulting / hosting on top of unmodified `wotw`.
+- Build a commercial product that interoperates with `wotw` over
+  documented public interfaces (MCP, file-system contract,
+  provenance-chain format).
+- Use the BM25 retrieval design, the Pass A / Pass B context-efficiency
+  architecture, or the G5 attestation scheme as inspiration — those
+  are technical ideas, not copyrightable expression.
+
+**You can't:**
+- Take the AGPL `wotw` source, ship it (modified or not) inside a
+  closed-source product without satisfying AGPL §13 / §5.
+- Relicense `wotw` source to MIT / BSD / proprietary terms.
+- Strip the AGPL notices from files you redistribute.
+- Use the `wotw` or `watcher-on-the-wall` name, the wotw.dev
+  domain, or the `@3030-labs/wotw` npm scope to imply 3030 Labs
+  endorsement of your fork (trademark, not copyright — but the same
+  obligation applies).
+
+## Commercial licence
+
+If AGPL's network-use clause is incompatible with your business
+model, 3030 Labs offers commercial licences that remove the §13
+obligation in exchange for an annual fee. Contact
+`licensing@3030labs.io`. Common reasons customers ask:
+
+- Embedding `wotw` inside a closed-source SaaS without publishing
+  the modifications upstream.
+- Operating a fork as a managed service without exposing the fork's
+  internal patches.
+- Including `wotw` in a customer-deliverable binary that the customer
+  cannot legally redistribute to compete.
+
+We do not offer "AGPL with a one-time fee" — the licence is the
+licence. The commercial option is a separate, parallel licence that
+co-exists with AGPL for users who choose it.
+
+## Third-party dependencies
+
+`wotw` depends on a number of MIT / Apache 2.0 / BSD-licenced npm
+packages (see `package.json` for the full list). Those licences travel
+with the binary in `node_modules/`; redistributing the `wotw` binary
+satisfies them. None of those upstream licences are GPL-incompatible
+with AGPL-3.0-or-later, but if you find one that is, please report it
+to `legal@3030labs.io`.
+
+The exception is `better-sqlite3`, which is MIT and bundles SQLite
+itself (public domain). No additional restriction.
+
+## Patents
+
+3030 Labs LLC has not asserted patents over the `wotw` code. The AGPL
+includes an express patent grant from contributors to users (§11). If
+you contribute code, you grant the same patent licence on contributed
+material to all downstream `wotw` users. This is normal for AGPL
+contributions and is enforced by the DCO sign-off in
+[`CONTRIBUTING.md`](CONTRIBUTING.md).
+
+## Trademark
+
+"watcher-on-the-wall", "wotw", "wotw-cloud", "wotw-verify",
+"3030 Labs", the wotw.dev domain, and any associated logos are
+trademarks of 3030 Labs LLC. The AGPL covers the code, not the
+trademark. You may identify your fork ("based on watcher-on-the-wall"),
+but you may not call your fork "watcher-on-the-wall" or use the
+name in a way that implies 3030 Labs endorsement.
+
+## Where to ask
+
+- General licensing questions: `licensing@3030labs.io`
+- Commercial-licence inquiries: `licensing@3030labs.io`
+- Trademark inquiries: `legal@3030labs.io`
+- Security disclosures: `security@3030labs.io` (see [`SECURITY.md`](SECURITY.md))
+
+---
+
+**Final reminder:** the above is a plain-English summary intended to
+help you understand the AGPL in context. It is not legal advice and
+does not constitute an attorney-client relationship. If your business
+depends on the answer, hire an attorney.