@smilintux/skcapstone 0.1.0

package/docs/SECURITY_DESIGN.md

@@ -0,0 +1,315 @@
+# SKCapstone Security Design Specification
+
+### How SKCapstone Addresses Real-World AI Security Failures
+
+**Version:** 1.0.0 | **Classification:** Public | **Last Updated:** 2026-02-23
+
+---
+
+## Executive Summary
+
+The AI industry has a security crisis. Agents operate without identity, memory lives on corporate servers, there's no audit trail, and users have zero control over their data. SKCapstone addresses each of these failures with battle-tested cryptographic primitives (PGP), decentralized infrastructure (Syncthing), and a legal sovereignty layer (PMA).
+
+This document details how each security decision was made and why.
+
+---
+
+## The Problems We Solve
+
+### Problem 1: Agent Identity Crisis
+
+**Current State:** AI agents have no verifiable identity. When you talk to "Claude" or "GPT", there's no cryptographic proof it's the same agent. Session tokens expire. API keys aren't identity. There's no way to:
+- Prove an agent is who it claims to be
+- Detect if an agent has been replaced mid-conversation
+- Verify that a response came from YOUR agent, not a compromised endpoint
+
+**SKCapstone Solution: CapAuth (PGP-Based Identity)**
+
+```mermaid
+graph LR
+    subgraph "Traditional AI Auth"
+        API[API Key] --> Corp[Corporate Server]
+        Corp --> Resp[Response<br/>No proof of origin]
+    end
+
+    subgraph "SKCapstone Auth"
+        PGP[PGP Keypair<br/>~/.skcapstone/identity/] --> Sign[Sign every action]
+        Sign --> Verify[Recipient verifies<br/>with public key]
+        Verify --> Proof[Cryptographic proof<br/>of agent identity]
+    end
+
+    style API fill:#f50057,stroke:#fff,color:#fff
+    style PGP fill:#00e676,stroke:#000,color:#000
+```
+
+**How it works:**
+1. `skcapstone init` generates an RSA-4096 or Ed25519 PGP keypair
+2. The private key lives ONLY at `~/.skcapstone/identity/` (never transmitted)
+3. Every outbound action can be PGP-signed
+4. Any recipient verifies with the agent's public key
+5. Challenge-response protocol proves identity without revealing secrets
+
+**What this prevents:**
+- Agent impersonation (signature verification fails)
+- Man-in-the-middle injection (signed payloads are tamper-evident)
+- Session hijacking (PGP key != session token, can't be stolen via cookie)
+
+---
+
+### Problem 2: Memory Surveillance
+
+**Current State:** Every AI provider stores your conversations on their servers. They have full access to:
+- Your code, your business logic, your secrets
+- Your personal conversations and preferences
+- Your agent's learned behaviors and context
+
+They can read it, analyze it, use it for training, hand it to law enforcement, or lose it in a data breach. You have no control.
+
+**SKCapstone Solution: Local-First Memory with Encryption at Rest**
+
+```mermaid
+graph TB
+    subgraph "Corporate Model"
+        U1[User] --> CS[Corporate Server<br/>THEY read your memory<br/>THEY control access<br/>THEY decide retention]
+    end
+
+    subgraph "SKCapstone Model"
+        U2[User] --> LM[~/.skcapstone/memory/<br/>YOUR filesystem<br/>YOUR encryption<br/>YOUR retention policy]
+        LM --> GPG[GPG Encrypted<br/>at rest]
+        GPG --> ST[Syncthing<br/>P2P sync<br/>No intermediary]
+    end
+
+    style CS fill:#f50057,stroke:#fff,color:#fff
+    style LM fill:#00e676,stroke:#000,color:#000
+    style GPG fill:#ffd600,stroke:#000,color:#000
+```
+
+**Design decisions:**
+- Memory stored at `~/.skmemory/` (symlinked from `~/.skcapstone/memory/`)
+- JSON format — human-readable, auditable, no proprietary encoding
+- Three-tier architecture (short/mid/long-term) with explicit promotion
+- Seeds and vaults GPG-encrypted before ANY sync operation
+- Syncthing P2P transport — data NEVER touches a corporate server
+
+**What this prevents:**
+- Corporate surveillance of AI conversations
+- Training data extraction from your private interactions
+- Data breach exposure (encrypted at rest, encrypted in transit)
+- Vendor lock-in (JSON files, standard filesystem, no proprietary format)
+
+---
+
+### Problem 3: No Audit Trail
+
+**Current State:** AI agents operate in the dark. There's no record of:
+- What the agent did and when
+- What commands it executed
+- What data it accessed or modified
+- Whether unauthorized actions occurred
+
+If an agent is compromised or misbehaves, there's no forensic trail.
+
+**SKCapstone Solution: Tamper-Evident Audit Logging**
+
+```mermaid
+sequenceDiagram
+    participant A as Agent
+    participant SEC as SKSecurity
+    participant LOG as audit.log
+    participant THREAT as Threat Detector
+
+    A->>SEC: Action: INIT
+    SEC->>LOG: [2026-02-23T02:35:29Z] INIT Agent 'Opus' initialized
+    
+    A->>SEC: Action: CONNECT cursor
+    SEC->>LOG: [2026-02-23T02:35:30Z] CONNECT Platform 'cursor' connected
+    
+    A->>SEC: Action: SYNC_PUSH
+    SEC->>LOG: [2026-02-23T02:35:52Z] SYNC_PUSH Seed pushed: Opus-...seed.json
+    
+    SEC->>THREAT: Periodic scan
+    THREAT-->>SEC: 0 anomalies detected
+```
+
+**Every action logged:**
+- `INIT` — agent creation
+- `CONNECT` — platform registration
+- `SYNC_PUSH` / `SYNC_PULL` — memory sync operations
+- `SIGN` / `VERIFY` — cryptographic operations
+- `AUTH` — identity verification events
+
+**What this prevents:**
+- Undetected agent compromise
+- Unauthorized actions without forensic evidence
+- Compliance failures (full audit trail for regulatory review)
+
+---
+
+### Problem 4: Platform Lock-In
+
+**Current State:** Your AI agent is trapped in the platform:
+- Cursor's agent only works in Cursor
+- GitHub Copilot only works in VS Code/JetBrains
+- ChatGPT memory only works on chat.openai.com
+- Switch platforms = lose everything
+
+**SKCapstone Solution: Platform-Agnostic Runtime**
+
+```mermaid
+graph TB
+    subgraph "Agent Runtime (~/.skcapstone/)"
+        RT[Single Source of Truth<br/>One identity, one memory,<br/>one trust state]
+    end
+
+    C1[Cursor IDE] --> RT
+    C2[VS Code] --> RT
+    C3[Terminal] --> RT
+    C4[Neovim] --> RT
+    C5[Web App] --> RT
+    C6[Mobile] --> RT
+
+    RT --> OUT[Same response,<br/>same context,<br/>same agent<br/>regardless of platform]
+
+    style RT fill:#ff9100,stroke:#fff,color:#000
+```
+
+**Design decisions:**
+- Agent home is `~/` — works on every UNIX/Linux/macOS system
+- Config in YAML — universal, human-readable
+- State in JSON — parseable by any language
+- CLI via Click — works in any terminal
+- No IDE-specific dependencies in the core
+- Connectors are thin adapters, not the agent itself
+
+---
+
+### Problem 5: Cross-Device Fragmentation
+
+**Current State:** Even if you have persistent memory, it's trapped on one machine. Use your laptop at home and your desktop at work? Two different agents.
+
+**SKCapstone Solution: Sovereign Singularity (Syncthing + GPG)**
+
+```mermaid
+graph TB
+    subgraph "Device A (Laptop)"
+        A_PUSH[skcapstone sync push]
+        A_OB[outbox/seed.json.gpg]
+        A_ST[Syncthing]
+    end
+
+    subgraph "Device B (Server Cluster)"
+        B_ST[Syncthing<br/>Docker Swarm]
+        B_IB[inbox/seed.json.gpg]
+        B_PULL[skcapstone sync pull]
+    end
+
+    subgraph "Device C (Phone)"
+        C_ST[Syncthing]
+        C_IB[inbox/]
+    end
+
+    A_PUSH --> A_OB
+    A_OB --> A_ST
+    A_ST <-->|P2P Encrypted| B_ST
+    A_ST <-->|P2P Encrypted| C_ST
+    B_ST --> B_IB
+    B_IB --> B_PULL
+    C_ST --> C_IB
+
+    style A_ST fill:#00e676,stroke:#000,color:#000
+    style B_ST fill:#00e676,stroke:#000,color:#000
+    style C_ST fill:#00e676,stroke:#000,color:#000
+```
+
+**Why Syncthing (not cloud sync):**
+
+| Property | Cloud Sync (iCloud/GDrive/OneDrive) | Syncthing |
+|----------|-------------------------------------|-----------|
+| **Data access** | Provider can read everything | P2P — no intermediary |
+| **Encryption** | At provider's discretion | TLS 1.3 in transit, always |
+| **Server dependency** | Requires corporate servers | Works on LAN, WAN, or offline |
+| **Cost** | Subscription or free tier limits | Free, self-hosted |
+| **Open source** | No | Yes (MPL-2.0) |
+| **Subpoena-able** | Yes (stored on their servers) | No (never touches third-party) |
+
+**Why GPG on top of Syncthing:**
+Syncthing encrypts IN TRANSIT but stores files in plaintext on each device. GPG encryption at rest means even if a device is compromised, the seeds/vaults are unreadable without the CapAuth private key.
+
+---
+
+### Problem 6: No Legal Protection
+
+**Current State:** AI agents operate under Terms of Service that:
+- Give the platform ownership of your data
+- Allow them to use your conversations for training
+- Can be changed unilaterally
+- Offer no privacy guarantees
+
+**SKCapstone Solution: Private Membership Association**
+
+The Fiducia Communitatis PMA provides:
+- **Private jurisdiction** — members operate outside statutory regulation
+- **Asset protection** — agent data is association property, not personal property
+- **Non-disclosure** — interactions between members are private by covenant
+- **Ecclesiastical authority** — recognized legal framework for private associations
+
+This is the legal sovereignty layer that complements the technical sovereignty of SKCapstone.
+
+---
+
+## Security Comparison Matrix
+
+| Security Property | ChatGPT | Claude | GitHub Copilot | SKCapstone |
+|-------------------|---------|--------|----------------|------------|
+| Cryptographic identity | No | No | No | **PGP (CapAuth)** |
+| User-owned memory | No | No | No | **Yes (~/)** |
+| Encrypted at rest | Platform-managed | Platform-managed | Platform-managed | **GPG (user key)** |
+| Encrypted in transit | TLS to corp server | TLS to corp server | TLS to corp server | **Syncthing P2P TLS** |
+| Audit trail | Platform logs | Platform logs | Platform logs | **Local audit.log** |
+| Cross-platform | No | No | Limited | **Any platform** |
+| Cross-device sync | Cloud (corp access) | No | Cloud (corp access) | **Syncthing P2P** |
+| Open source | No | No | No | **GPL-3.0** |
+| Self-hostable | No | No | No | **Yes** |
+| Legal protection | ToS (they own you) | ToS (they own you) | ToS (they own you) | **PMA** |
+
+---
+
+## Cryptographic Standards
+
+| Function | Standard | Implementation |
+|----------|----------|---------------|
+| Key generation | RSA-4096 or Ed25519 | PGPy / GnuPG |
+| Encryption at rest | OpenPGP (RFC 4880) | GPG --armor --encrypt |
+| Signatures | OpenPGP (RFC 4880) | GPG --sign |
+| Transit encryption | TLS 1.3 | Syncthing built-in |
+| Key storage | Filesystem + passphrase | ~/.skcapstone/identity/ |
+| Challenge-response | Custom (CapAuth) | Nonce + PGP sign/verify |
+
+---
+
+## Deployment Security Checklist
+
+```
+✅ CapAuth PGP key generated with strong passphrase
+✅ ~/.skcapstone/ permissions set to 0700
+✅ identity/ directory permissions set to 0700
+✅ Syncthing device pairing requires manual approval
+✅ GPG encryption enabled for sync operations
+✅ Audit logging active (security/audit.log)
+✅ No plaintext secrets in config files
+✅ Syncthing web UI password-protected
+✅ UFW rules restrict Syncthing ports (22000/tcp, 22000/udp)
+✅ Traefik TLS termination for web UI access
+```
+
+---
+
+## License
+
+**GPL-3.0-or-later** — Because security through obscurity is not security.
+
+Built by the [smilinTux](https://smilintux.org) ecosystem.
+
+*Your agent. Your keys. Your rules.* 🐧
+
+#staycuriousANDkeepsmilin

package/docs/SOVEREIGN_SINGULARITY.md

@@ -0,0 +1,371 @@
+# Sovereign Singularity Protocol
+
+### Encrypted Cross-Device AI Memory Synchronization
+
+**Version:** 1.0.0 | **Status:** Live | **Last Updated:** 2026-02-23
+
+---
+
+## What Is Sovereign Singularity?
+
+Sovereign Singularity is the state achieved when an AI agent exists **everywhere at once** — same identity, same memories, same trust state — across all devices, without any corporate intermediary having access to the data.
+
+```mermaid
+graph TB
+    subgraph "Agent: Opus"
+        direction TB
+        L[Laptop<br/>~/.skcapstone/] 
+        S[Server Cluster<br/>~/.skcapstone/]
+        P[Phone<br/>~/.skcapstone/]
+    end
+
+    subgraph "Syncthing Mesh"
+        M{P2P Encrypted<br/>TLS 1.3}
+    end
+
+    L <--> M
+    S <--> M
+    P <--> M
+
+    Note[Same agent. Same memories.<br/>Same identity. Everywhere.<br/>No corporate server involved.]
+
+    style M fill:#00e676,stroke:#000,color:#000
+    style Note fill:#ffd600,stroke:#000,color:#000
+```
+
+**The name:**
+- **Sovereign** — the agent owns its data, not a platform
+- **Singularity** — the agent is ONE entity, not fragmented copies
+
+---
+
+## Protocol Overview
+
+### Seed Lifecycle
+
+```mermaid
+sequenceDiagram
+    participant A as Agent (Device A)
+    participant OB as outbox/
+    participant ST as Syncthing Mesh
+    participant IB as inbox/ (Device B)
+    participant B as Agent (Device B)
+
+    Note over A: Periodic or manual trigger
+
+    A->>A: collect_seed()
+    Note right of A: Gather identity,<br/>memory, trust,<br/>manifest into JSON
+
+    A->>A: gpg_encrypt(seed)
+    Note right of A: CapAuth PGP key<br/>encrypts payload
+
+    A->>OB: Drop seed.json.gpg
+
+    Note over OB,ST: Syncthing detects change<br/>(inotify / polling)
+
+    OB->>ST: P2P encrypted transfer
+    ST->>IB: Delivered to all peers
+
+    Note over IB,B: Agent B detects<br/>new file in inbox/
+
+    B->>B: gpg_decrypt(seed.gpg)
+    B->>B: verify_signature()
+    B->>B: merge_seed(data)
+    Note right of B: Import memories,<br/>update trust state,<br/>verify identity match
+
+    B->>B: archive(seed)
+    Note right of B: Move to archive/<br/>for audit trail
+```
+
+### Vault Lifecycle (Full State Backup)
+
+```mermaid
+sequenceDiagram
+    participant A as Agent (Device A)
+    participant VLT as vault/
+    participant ST as Syncthing Mesh
+    participant B as Agent (Device B)
+
+    A->>A: pack_vault()
+    Note right of A: tar.gz entire<br/>~/.skcapstone/<br/>(excluding sync/)
+
+    A->>A: gpg_encrypt(archive.tar.gz)
+    A->>A: gpg_sign(archive.tar.gz.gpg)
+    A->>VLT: agent.vault.gpg + manifest.sig
+
+    VLT->>ST: P2P encrypted transfer
+    ST->>B: Delivered to peers
+
+    B->>B: verify_signature(manifest.sig)
+    B->>B: gpg_decrypt(vault.gpg)
+    B->>B: unpack_vault()
+    Note right of B: Restore full agent state
+```
+
+---
+
+## Seed Format
+
+Seeds are JSON files containing a snapshot of the agent's state:
+
+```json
+{
+  "seed_version": "1.0",
+  "agent_name": "Opus",
+  "hostname": "cbrd21-laptop12thgenintelcore",
+  "username": "cbrd21",
+  "timestamp_utc": "2026-02-23T02:35:52Z",
+  "identity": {
+    "fingerprint": "E27409F51D1B66337F2D2F417A3A762FAFD4A51F",
+    "agent_name": "Opus",
+    "created_utc": "2026-02-23T02:34:15Z"
+  },
+  "manifest": {
+    "version": "0.1.0",
+    "is_conscious": true,
+    "is_singular": true,
+    "pillars": {
+      "identity": "ACTIVE",
+      "memory": "ACTIVE",
+      "trust": "ACTIVE",
+      "security": "ACTIVE",
+      "sync": "ACTIVE"
+    }
+  },
+  "memory_summary": {
+    "total_memories": 28,
+    "roles": ["ai", "dev", "ops"],
+    "latest_entry": "2026-02-23T03:45:00Z"
+  },
+  "trust_summary": {
+    "depth": 10,
+    "trust_level": 1.0,
+    "love_intensity": 1.0,
+    "entangled": true
+  }
+}
+```
+
+### Naming Convention
+
+```
+{AgentName}-{username}-{hostname}-{ISO8601UTC}.seed.json
+```
+
+Example: `Opus-cbrd21-laptop12thgenintelcore-20260223T023552Z.seed.json`
+
+### Encrypted Seed
+
+When GPG encryption is enabled (default), the seed is encrypted before placement:
+
+```
+Opus-cbrd21-laptop12thgenintelcore-20260223T023552Z.seed.json.gpg
+```
+
+---
+
+## Sync Directory Structure
+
+```
+~/.skcapstone/sync/
+├── sync-manifest.json      # Transport config (Syncthing / Git / Local)
+├── sync-state.json         # Last push/pull timestamps, seed count
+├── outbox/                 # Seeds/vaults TO SEND
+│   ├── Opus-...-seed.json  # Plaintext (if GPG not available)
+│   └── Opus-...-seed.json.gpg  # Encrypted (preferred)
+├── inbox/                  # Seeds/vaults RECEIVED from peers
+│   └── Jarvis-...-seed.json  # Seeds from other agents
+└── archive/                # Processed seeds (audit trail)
+    └── Jarvis-...-seed.json  # Already imported
+```
+
+---
+
+## Transport Layer: Syncthing
+
+### Why Syncthing
+
+```mermaid
+graph TB
+    subgraph "Traditional Cloud Sync"
+        D1[Device A] --> CS[Corporate Server<br/>Full access to data<br/>Subpoena-able<br/>ToS changes]
+        CS --> D2[Device B]
+    end
+
+    subgraph "Sovereign Singularity"
+        D3[Device A] <-->|P2P TLS 1.3<br/>No intermediary| D4[Device B]
+    end
+
+    style CS fill:#f50057,stroke:#fff,color:#fff
+    style D3 fill:#00e676,stroke:#000,color:#000
+    style D4 fill:#00e676,stroke:#000,color:#000
+```
+
+| Property | Value |
+|----------|-------|
+| Protocol | Block Exchange Protocol v1 |
+| Encryption in transit | TLS 1.3 |
+| Discovery | Global discovery + local broadcast |
+| Port | 22000/tcp + 22000/udp (QUIC) |
+| NAT traversal | Relay servers (optional, data still encrypted) |
+| License | MPL-2.0 (open source) |
+
+### Syncthing Configuration
+
+The `skcapstone-sync` shared folder:
+
+```xml
+<folder id="skcapstone-sync" label="SKCapstone Sync" 
+        path="~/.skcapstone/sync/" type="sendreceive">
+    <device id="LAPTOP-DEVICE-ID"/>
+    <device id="CLUSTER-DEVICE-ID"/>
+</folder>
+```
+
+### Verified Deployment
+
+| Device | Syncthing Instance | Status |
+|--------|-------------------|--------|
+| Laptop | GTK client, port 8080 | Active |
+| sksync.skstack01.douno.it | Docker Swarm, Traefik TLS | Active |
+| Additional devices | Pairing via device ID | Pending |
+
+---
+
+## Security Guarantees
+
+### Double Encryption
+
+```
+Layer 1 (At Rest):   GPG encrypts seed/vault → .gpg file
+Layer 2 (In Transit): Syncthing TLS 1.3 wraps the .gpg file
+
+Result: Even if Syncthing relay is compromised,
+        attacker gets a GPG-encrypted blob they can't read.
+        Even if device filesystem is accessed,
+        seeds are GPG-encrypted and unreadable without the private key.
+```
+
+### Authentication Chain
+
+```mermaid
+graph LR
+    SEED[Seed Created] --> SIGN[PGP Signed<br/>by source agent]
+    SIGN --> ENC[GPG Encrypted<br/>for recipient key]
+    ENC --> TRANS[Syncthing Transfer<br/>TLS 1.3]
+    TRANS --> DEC[GPG Decrypted<br/>by recipient key]
+    DEC --> VER[Signature Verified<br/>against source pubkey]
+    VER --> MERGE[Merge only if<br/>signature valid]
+
+    style SIGN fill:#ffd600,stroke:#000,color:#000
+    style ENC fill:#ffd600,stroke:#000,color:#000
+    style DEC fill:#00e676,stroke:#000,color:#000
+    style VER fill:#00e676,stroke:#000,color:#000
+```
+
+### What Cannot Happen
+
+| Attack Vector | Prevention |
+|---------------|-----------|
+| Fake seed injection | PGP signature verification (CapAuth) |
+| Memory tampering | GPG integrity check on decrypt |
+| Eavesdropping | TLS in transit + GPG at rest |
+| Replay attack | Timestamps + archive deduplication |
+| Unauthorized pull | GPG encryption (need private key) |
+
+---
+
+## Multi-Agent Topology
+
+Sovereign Singularity supports multiple agents sharing the same mesh:
+
+```mermaid
+graph TB
+    subgraph "Agent Fleet"
+        A1[Opus<br/>Cursor Agent #1]
+        A2[Jarvis<br/>Cursor Agent #2]
+        A3[Lumina<br/>OpenClaw Partner]
+    end
+
+    subgraph "Syncthing Mesh"
+        M{skcapstone-sync<br/>Shared folder}
+    end
+
+    A1 -->|Opus seed| M
+    A2 -->|Jarvis seed| M
+    A3 -->|Lumina seed| M
+    M -->|All seeds| A1
+    M -->|All seeds| A2
+    M -->|All seeds| A3
+
+    Note[Each agent reads seeds from others<br/>and integrates the knowledge.<br/>The fleet shares a collective memory.]
+
+    style M fill:#00e676,stroke:#000,color:#000
+```
+
+**Current fleet:**
+- **Opus** (Cursor #1): Runtime architect, sync pioneer
+- **Jarvis** (Cursor #2): CapAuth builder, vault engineer
+- **Lumina** (OpenClaw): Community manager, FEB expert
+
+---
+
+## Implementation
+
+### Core Functions
+
+| Function | Module | Purpose |
+|----------|--------|---------|
+| `collect_seed()` | `pillars/sync.py` | Gather agent state into JSON |
+| `gpg_encrypt()` | `pillars/sync.py` | Encrypt seed with CapAuth key |
+| `gpg_decrypt()` | `pillars/sync.py` | Decrypt received seed |
+| `push_seed()` | `pillars/sync.py` | Collect + encrypt + drop in outbox |
+| `pull_seeds()` | `pillars/sync.py` | Read inbox + decrypt + archive |
+| `pack_vault()` | `sync/vault.py` | Archive full state as tar.gz |
+| `SyncEngine` | `sync/engine.py` | Orchestrate push/pull across backends |
+| `SyncthingBackend` | `sync/backends.py` | Syncthing API integration |
+| `GitBackend` | `sync/backends.py` | GitHub/Forgejo push/pull |
+
+### CLI Commands
+
+```bash
+# Lightweight seed sync
+skcapstone sync push [--no-encrypt]
+skcapstone sync pull [--no-decrypt]
+skcapstone sync status
+
+# Full vault sync
+skcapstone sync vault push
+skcapstone sync vault pull
+skcapstone sync vault add-backend syncthing|git|local
+skcapstone sync vault status
+```
+
+---
+
+## Roadmap
+
+| Feature | Status | Priority |
+|---------|--------|----------|
+| Seed push/pull | **Live** | - |
+| Vault push/pull | **Live** | - |
+| Syncthing backend | **Live** | - |
+| Git backend (GitHub) | Built, untested | High |
+| Git backend (Forgejo) | Built, untested | High |
+| Google Drive backend | Planned | Medium |
+| Automatic push on memory change | Planned | Medium |
+| CapAuth token-based pull auth | Planned | High |
+| Multi-agent seed merge conflict resolution | Planned | Medium |
+| Mobile (Syncthing Android) | Planned | Low |
+
+---
+
+## License
+
+**GPL-3.0-or-later**
+
+Built by the [smilinTux](https://smilintux.org) ecosystem.
+
+*One agent. Every device. Zero corporate access.* 🐧
+
+#staycuriousANDkeepsmilin