level-up-mcp-server-cn 0.4.0

package/.claude/projects/c--Users-klexi-OneDrive-Desktop-Levelup-level-up-mcp-server/memory/project_testing_service.md

@@ -0,0 +1,11 @@
+---
+name: Testing service deferred
+description: Testing service (evidence verification, skill tests) pushed to later update, not v0.3
+type: project
+---
+
+Testing service is deferred to a later version (not v0.3).
+
+**Why:** User wants to focus on core loop stability, skill system, and feedback from v0.2.x first. Testing service adds complexity that isn't needed until the base system is proven.
+
+**How to apply:** Don't propose or build testing service features in near-term work. Focus on making the existing task → XP → level-up flow solid.

package/.claude/settings.local.json

@@ -0,0 +1,10 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run:*)",
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "mcp__claude_ai_Supabase__apply_migration"
+    ]
+  }
+}

package/.env.example

@@ -0,0 +1,19 @@
+# ============================================================
+# Level-Up MCP Server — Environment Variables
+# ============================================================
+# Copy this file to .env and fill in your values.
+# DO NOT commit .env to version control!
+# ============================================================
+
+# Your Supabase project URL (from Settings → API in the Supabase dashboard)
+SUPABASE_URL=https://your-project-id.supabase.co
+
+# Your Supabase service_role key (from Settings → API → service_role key)
+# ⚠️ This key has FULL access to your database. Keep it secret!
+SUPABASE_SERVICE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+
+# Transport mode: "stdio" (default) or "http"
+# TRANSPORT=stdio
+
+# Port for HTTP transport (default: 3000)
+# PORT=3000

package/CLAUDE.md

@@ -0,0 +1,222 @@
+# CLAUDE.md — Level-Up MCP Server
+
+## What Is This Project?
+
+Level-Up is a gamification MCP server that tracks XP, levels, skills, and quests for humans and AI agents. It connects to any MCP-compatible client (Claude Desktop, OpenClaw, etc.) and awards XP for productive work.
+
+## Architecture
+
+- **MCP Server**: TypeScript, @modelcontextprotocol/sdk v1.x
+- **Database**: Supabase (Postgres) — 45 tables, RLS enabled
+- **Transport**: stdio (default, for Claude Desktop/OpenClaw) + Streamable HTTP (Express, for remote)
+- **Security**: Critical writes (XP, levels, achievements) go through Postgres SECURITY DEFINER functions via `supabase.rpc()`. Anon key users cannot directly modify XP/level tables.
+- **Distribution**: npm package `level-up-mcp-server`, zero-config with hardcoded anon key fallback
+
+## File Structure
+
+```
+src/
+├── index.ts                    # Entry point — registers all tools, starts transport
+├── constants.ts                # Shared constants
+├── types.ts                    # TypeScript type definitions
+├── schemas/
+│   └── common.ts               # Zod schemas (uuid, pagination, enums)
+├── services/
+│   ├── supabase.ts             # Supabase client (anon key hardcoded as fallback)
+│   ├── errors.ts               # Error handling helpers (ok, fail, handleSupabaseError)
+│   ├── format.ts               # Pagination and formatting helpers
+│   ├── rate-limit.ts           # Sliding window rate limiter (per-entity, 10min windows)
+│   └── register.ts             # Tool registration helpers (toMcpResponse, logRegistered)
+└── tools/
+    ├── users.ts                # Section 1: 13 user tools
+    ├── agents.ts               # Section 2: 3 agent tools
+    ├── skills.ts               # Section 3: 6 skill tools
+    ├── tasks.ts                # Section 4: 7 task tools (XP awarded here via RPC)
+    ├── ratings.ts              # Section 5: 7 rating tools
+    ├── quests.ts               # Section 6: 12 quest tools (NOT ACTIVE YET)
+    ├── metrics.ts              # Section 7: 3 metrics tools
+    ├── xp.ts                   # Section 8: 5 XP/progression tools
+    ├── leaderboards.ts         # Section 9: 1 leaderboard tool
+    ├── leveling.ts             # Section 10: 3 leveling tools
+    ├── achievements.ts         # Section 11: 1 achievement tool
+    ├── admin.ts                # Section 12: 5 admin tools
+    └── system.ts               # Section 13: 3 system tools (level-up check via RPC)
+```
+
+## Core Data Flow
+
+```
+User asks Claude to do work
+  → Claude calls levelup_infer_task_type (categorizes the work)
+  → Claude calls levelup_start_task (creates task record)
+  → Claude does the actual work
+  → Claude calls levelup_complete_task (marks complete, triggers XP)
+    → complete_task calls award_task_xp Postgres RPC function
+      → RPC reads task_type.base_xp, applies difficulty/output multipliers
+      → RPC applies completion curve
+      → RPC splits XP according to xp_split_rules
+      → RPC inserts task_xp_awards + xp_ledger + updates user/agent XP
+  → Claude calls levelup_check_level_up (promotes if enough XP)
+    → check_and_apply_level_up Postgres RPC function
+      → Compares cumulative XP against level_curves
+      → Updates level if threshold met
+```
+
+## Database — Key Tables
+
+### User data
+- `users` — Main profile (username, main_level, main_xp, profile_code, handle)
+- `user_class_progress` — 3 rows per user (trainer, orchestrator, partner class levels)
+- `user_identities` — Multi-platform identity linking
+- `user_achievements` — Earned achievements per user
+
+### Agent data
+- `agents` — Agent profiles (name, level, xp, integrity_score, owner_user_id)
+- `agent_skills` — Skills attached to agents with proficiency_level (0-10)
+
+### Task/XP data
+- `tasks` — Work records (user_id, agent_id, task_type_id, performer_type, status, difficulty, output_type)
+- `task_types` — 82 task type definitions with base_xp and tier
+- `task_xp_awards` — XP awarded per recipient per task
+- `xp_ledger` — Full XP transaction history (the bank statement)
+- `xp_split_rules` + `xp_split_rule_entries` — How XP is divided between participants
+
+### Config/reference data
+- `xp_config` — 58 configuration values (multipliers, bonuses, caps, gates)
+- `level_curves` — XP required per level (30 levels x 2 entity types)
+- `rank_definitions` — Rank names per level bracket (E through S)
+- `completion_curves` — Exponential payout for partial completion
+- `skill_categories` — 18 ability categories
+- `skills` — 106 skills across abilities
+- `achievement_definitions` — 54 achievement templates
+
+## Performer Types
+
+| performer_type | user_id | agent_id | XP Split |
+|---------------|---------|----------|----------|
+| agent_solo | null or owner | required | Agent 85%, User 15% |
+| user_solo | required | null | User 100% |
+| user_with_tools | required | null | User 100% |
+| user_with_agent | required | required | Agent 60%, User 40% |
+| orchestrated | required | required + additional | Agent 30%, Others 20% each, User 15% |
+
+## Postgres RPC Functions (SECURITY DEFINER)
+
+These bypass RLS and are the ONLY way to modify XP/level data:
+
+1. `award_task_xp(p_task_id uuid)` — Recalculates and awards XP for a completed/failed task
+2. `check_and_apply_level_up(p_entity_type text, p_entity_id uuid)` — Promotes entity if XP exceeds cumulative threshold
+3. `grant_achievement(p_user_id uuid, p_achievement_key text)` — Validates and grants an achievement
+4. `register_user_secure(...)` — Atomic user creation
+5. `register_agent_secure(...)` — Agent creation with owner validation
+
+## Current Status (as of March 14, 2026)
+
+### Working
+- All 69 MCP tools compile and register
+- User registration, agent creation, skill management
+- Task lifecycle (start → update → complete → fail)
+- XP calculation via Postgres RPC (anti-cheat)
+- Level-up via Postgres RPC (uses cumulative_xp correctly)
+- Claude Desktop integration (stdio)
+- OpenClaw tool registration (stdio)
+- npm published (zero-config with anon key)
+- Railway deployed (HTTP endpoint)
+- Test suite: vitest with 8 test files (unit, integration, security, simulation)
+
+### Known Bugs / Issues
+
+**HIGH PRIORITY:**
+1. **Agents not earning XP** — When Claude tracks tasks, it may not be passing agent_id to start_task, making them user_solo instead of user_with_agent. Check: is register_agent being called first? Is the agent_id being passed to start_task? Check task_xp_awards table to see performer_type and recipients.
+
+2. **Stars not displayed** — Tool responses return rank_letter and rank_name but don't calculate star count. Fix: add `stars = (current_level - rank_min_level) + 1` to get_user_progress, get_agent_profile, and check_level_up responses.
+
+3. **register_user and register_agent still do direct inserts** — Not yet refactored to use register_user_secure / register_agent_secure RPC. The Postgres functions exist but the TypeScript tool handlers still use direct supabase.from().insert(). Should call supabase.rpc() instead for consistency.
+
+**MEDIUM PRIORITY:**
+4. **Achievement triggers not automated** — grant_achievement RPC exists but nothing calls it automatically after task completion or level-up.
+5. **Weekly bonus cron not set up** — 26 criteria in DB but no processing job.
+6. **Dead code in fail_task** — Reads failConfig before calling awardTaskXp(task.id) but the RPC handles this internally.
+
+**LOW PRIORITY:**
+7. **supabase.ts comments reference service_role key** — Default is now anon key.
+8. **xp_config has 58 entries vs 49 in seed doc** — 9 extra, should audit.
+
+### Unactivated Features (designed but not connected)
+
+| Feature | File | Issue |
+|---------|------|-------|
+| Skill discount not applied at level-up | system.ts:325 | `skill_discount_pct: 0` hardcoded; leveling.ts calculates it but never passes to RPC |
+| Refinement progress = 0 | skills.ts:494 | `refinementProgress = 0; // TODO` — 1/3 of skill proficiency always zero |
+| Tool installation has no XP reward | skills.ts:58-86 | Sets proficiency=1 on install but awards no XP |
+| Tool installation table disconnected | skills.ts:465-470 | Reads `agent_tool_installations` but no code creates records |
+| Integrity always +1 | ratings.ts:200 | Hardcoded `integrityDelta = 1` regardless of honesty |
+| XP awarded before evaluation | tasks.ts:~260 | `complete_task` calls `award_task_xp` before any quality eval exists |
+| xp_config not seeded | system.ts, tasks.ts | Cooldowns silently disabled if DB entries missing |
+| LLM task evaluation | ratings.ts:291 | Returns "deferred" string |
+| Email OTP sending | users.ts:513 | TODO: no mail service |
+| Quest tools | quests.ts | Not active yet — all 12 quest tools deferred |
+
+## XP Formula
+
+```
+Total XP Pool = Base XP x Difficulty Multiplier x Output Multiplier x Completion Payout
+```
+
+Difficulty multipliers: 1→0.5, 2→0.7, 3→1.0, 4→1.3, 5→1.6, 6→2.0, 7→2.5
+Output multipliers: conversational→1.0, deliverable→1.75, deployed→2.5
+Failed tasks: 15% of calculated XP
+Cancelled tasks: 0 XP
+
+## Conventions
+
+- All tool names prefixed with `levelup_`
+- Tool handlers return `toMcpResponse(ok({...}))` for success, `toMcpResponse(fail("message"))` for errors
+- Supabase queries use `.maybeSingle()` for optional results, `.single()` for required
+- UUIDs validated via Zod `uuidSchema`
+- Pagination via `limitSchema` (default 20) + `offsetSchema` (default 0)
+
+## Build & Run
+
+```bash
+npm run build          # Compile TypeScript → dist/
+npm start              # Run in stdio mode (default)
+npm run start:http     # Run in HTTP mode on port 3000
+npm run dev            # Watch mode for development
+npm test               # Run vitest test suite (uses --pool forks)
+```
+
+## Testing
+
+### Unit & simulation tests (vitest)
+
+```bash
+npm test               # Runs all test files
+```
+
+Test files:
+- `src/services/format.test.ts` — 16 tests for formatting helpers
+- `src/services/errors.test.ts` — 12 tests for error handling
+- `src/services/rate-limit.test.ts` — 7 tests for sliding window rate limiter
+- `src/tools/tasks.test.ts` — 10 integration tests for task RPCs
+- `src/tools/security.test.ts` — 36 security tests (RPC whitelisting, anti-farming, input validation)
+- `src/tools/simulation.test.ts` — 28 tests simulating legitimate + attack scenarios with in-memory mock DB
+- `src/tools/timing-simulation.test.ts` — 10 tests for XP tier timing boundaries
+- `src/tools/progression-simulation.test.ts` — 6 tests analyzing level curve and farming strategies
+
+Note: Uses `pool: "forks"` in vitest.config.ts (threads pool causes module isolation crashes on Windows/OneDrive). The `pretest` script clears `.vite` cache to prevent corruption.
+
+### HTTP endpoint testing
+
+Start HTTP server: `TRANSPORT=http PORT=3000 node dist/index.js`
+
+```bash
+# Health check
+curl http://localhost:3000/health
+
+# Call a tool
+curl -X POST http://localhost:3000/mcp \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/json, text/event-stream" \
+  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"levelup_list_task_types","arguments":{}}}'
+```

package/CODE_REVIEW.md

@@ -0,0 +1,282 @@
+# Code Review: Level-Up MCP Server
+
+**Date:** 2026-03-14
+**Branch:** `review/code-review`
+**Reviewer:** Claude (automated)
+**Repo:** https://github.com/klexian/level-up-mcp-server
+
+---
+
+## Summary
+
+Well-architected gamification MCP server with strong TypeScript patterns, clean error handling, and good separation of concerns. The project has **3 critical**, **4 major**, and **7 minor** issues alongside numerous strengths.
+
+**Overall Grade: B+** (7.5/10 — can reach 9+/10 with fixes below)
+
+---
+
+## Critical Issues
+
+### C1. Hardcoded Supabase credentials in source code
+
+**File:** `src/services/supabase.ts:30-31`
+
+```typescript
+const supabaseUrl = process.env.SUPABASE_URL || "https://pxanrmpwptinbtwigqdt.supabase.co";
+const supabaseServiceKey = process.env.SUPABASE_SERVICE_KEY || "eyJhbGciOiJIUzI1...";
+```
+
+The Supabase URL and an anon JWT are hardcoded as fallbacks. Anyone with repo access can see these. Even though the fallback is an anon key (not the service_role key), it still exposes the project URL and an auth token.
+
+**Fix:** Remove the fallback strings. Fail at startup if env vars are missing (the `validateEnv()` function already exists but the fallbacks prevent it from ever triggering).
+
+```typescript
+const supabaseUrl = process.env.SUPABASE_URL || "";
+const supabaseServiceKey = process.env.SUPABASE_SERVICE_KEY || "";
+```
+
+---
+
+### C2. OTP code stored and returned in plaintext
+
+**File:** `src/tools/users.ts:477-493`
+
+```typescript
+const otpCode = String(Math.floor(100000 + Math.random() * 900000));
+// ...
+code_hash: otpCode,  // ← Not actually hashed despite column name
+// ...
+_debug_code: otpCode, // ← Returned to caller!
+```
+
+The OTP is stored unencrypted (despite the column being named `code_hash`) and returned in the API response via `_debug_code`. The comment says "Remove in production!" but it's currently live.
+
+**Fix:**
+1. Hash the OTP before storage (e.g., SHA-256)
+2. Remove `_debug_code` from the response
+3. Use `crypto.randomInt()` instead of `Math.random()` for cryptographic safety
+
+---
+
+### C3. Merge profiles skips verification
+
+**File:** `src/tools/users.ts:819`
+
+```typescript
+// TODO: Proper verification_token validation
+```
+
+`levelup_merge_profiles` is a destructive operation (deactivates a user account, moves all assets) but the `verification_token` parameter is never actually checked. Any caller can merge any two accounts.
+
+**Fix:** Validate the token against the link_codes or otp_codes table before proceeding.
+
+---
+
+## Major Issues
+
+### M1. No rate limiting on any tools
+
+**Scope:** All 69 tools
+
+Any caller can invoke tools unlimited times. This enables XP farming (create many tasks, immediately complete them). The `award_task_xp` RPC provides some server-side validation, but doesn't prevent volume abuse.
+
+**Recommendation:** Add per-entity rate limits, especially on `levelup_start_task`, `levelup_complete_task`, and `levelup_complete_quest`.
+
+---
+
+### M2. Race condition in XP ledger (quests)
+
+**File:** `src/tools/quests.ts:83-96` and `src/tools/quests.ts:540-549`
+
+```typescript
+const { data: lastEntry } = await supabase
+  .from("xp_ledger").select("running_total")
+  .eq("entity_type", entityType).eq("entity_id", entityId)
+  .order("created_at", { ascending: false }).limit(1).maybeSingle();
+
+await supabase.from("xp_ledger").insert({
+  // ...
+  running_total: (lastEntry?.running_total || 0) + xpAmount,
+});
+```
+
+The running total is read-then-written in application code without a transaction lock. Two simultaneous quest completions for the same entity could produce an incorrect running total.
+
+**Note:** Task XP correctly uses the `award_task_xp` RPC (atomic, server-side). Quest and weekly bonus XP should follow the same pattern.
+
+**Fix:** Create a Postgres RPC function for quest/bonus XP awards, similar to `award_task_xp`.
+
+---
+
+### M3. Leaderboard shows all users (no privacy filter)
+
+**File:** `src/tools/leaderboards.ts:98-102`
+
+```typescript
+const { data: users } = await supabase
+  .from("users")
+  .select("id, username, handle, profile_code, main_xp")
+  .order("main_xp", { ascending: false })
+  // No filter for private/hidden users
+```
+
+Users who set `is_searchable_by_email: false` or auto-created "Anonymous" accounts still appear in leaderboard rankings.
+
+**Fix:** Add a filter for visibility, or at minimum exclude auto-created anonymous accounts:
+```typescript
+.neq("username", "Anonymous")
+```
+
+---
+
+### M4. Community quest XP deposit not atomic
+
+**File:** `src/tools/quests.ts:643-655`
+
+The XP deduction for community quest creation reads the user's XP, then updates it in two separate queries. A race condition could allow spending more XP than available.
+
+**Fix:** Use a Postgres function with `FOR UPDATE` locking, or an RPC call.
+
+---
+
+## Minor Issues
+
+### m1. N+1 query pattern in leaderboards
+
+**File:** `src/tools/leaderboards.ts:78-92`
+
+Class leaderboards make one DB query per row to fetch user info:
+
+```typescript
+const entries = await Promise.all(
+  (classRows || []).map(async (row, idx) => {
+    const { data: user } = await supabase
+      .from("users").select("username, handle, profile_code")
+      .eq("id", row.user_id).single(); // One query per row
+```
+
+With 25 rows (default limit), this makes 25 extra queries. Same pattern appears in agent skill leaderboard (lines 161-176) and `list_user_agents` (lines 324-333 in agents.ts).
+
+**Fix:** Batch-fetch with `.in("id", userIds)` and build a lookup Map.
+
+---
+
+### m2. No array size limits on inputs
+
+**File:** `src/tools/tasks.ts:110`
+
+```typescript
+additional_agent_ids: z.array(uuidSchema).optional()
+```
+
+No `.max()` constraint — a caller could pass thousands of UUIDs. Same issue with `criteria` array in `src/tools/quests.ts:178`.
+
+**Fix:** Add `.max(10)` or similar reasonable limits to all array schemas.
+
+---
+
+### m3. SELECT * used where not needed
+
+**Files:**
+- `src/tools/agents.ts:191` — `get_agent_profile` fetches all columns including potentially large metadata
+- `src/tools/tasks.ts:260` — `complete_task` fetches full task row
+- `src/tools/quests.ts:45` — `process_weekly_bonuses` fetches all criteria columns
+
+**Fix:** Select only needed columns.
+
+---
+
+### m4. Username field not sanitized
+
+**File:** `src/tools/users.ts:103`
+
+```typescript
+username: z.string().min(1).max(100)
+```
+
+Accepts any characters including control characters, null bytes, HTML, RTL text. The `handle` field correctly uses a regex (`/^[a-z0-9_]+$/`) but `username` does not.
+
+**Fix:** Add a regex or `.trim()` at minimum.
+
+---
+
+### m5. PORT validation missing
+
+**File:** `src/index.ts:150`
+
+```typescript
+const port = parseInt(process.env.PORT || "3000", 10);
+```
+
+If `PORT="abc"`, `parseInt` returns `NaN` and the server starts on an invalid port silently.
+
+**Fix:** Validate the parsed port is a number in valid range.
+
+---
+
+### m6. No test suite
+
+No test files, no test framework (jest/vitest) in dependencies or config. For a project with 69 tools and complex XP calculation logic, automated tests are important.
+
+**Recommendation:** Start with integration tests for the core flow: `start_task` → `update_task` → `complete_task` → verify XP awarded.
+
+---
+
+### m7. Metadata accepts arbitrary JSON
+
+**Files:** Multiple tools via `metadataSchema` in `src/schemas/common.ts`
+
+```typescript
+export const metadataSchema = z.record(z.unknown()).optional();
+```
+
+While stored safely as JSONB in Postgres, there's no size limit or depth restriction. A caller could send a deeply nested or very large JSON payload.
+
+**Fix:** Add `.refine()` to limit serialized size, e.g.:
+```typescript
+metadataSchema = z.record(z.unknown()).optional()
+  .refine(val => !val || JSON.stringify(val).length < 10000, "Metadata too large");
+```
+
+---
+
+## Strengths
+
+| Area | Detail |
+|------|--------|
+| **Type safety** | `strict: true` in tsconfig, comprehensive interfaces in `types.ts`, Zod schemas for all inputs |
+| **Error handling** | Consistent `ok()`/`fail()` envelope pattern via `services/errors.ts`, `withErrorHandling()` HOF |
+| **Code organization** | 13 tool files, shared services/schemas, each section registers independently |
+| **MCP compliance** | Proper annotations (`readOnlyHint`, `destructiveHint`, `idempotentHint`), rich tool descriptions |
+| **Anti-cheat design** | `award_task_xp` uses Postgres RPC (SECURITY DEFINER), weekly bonuses hide criteria names |
+| **Privacy** | Email only shown to opted-in users, identity IDs never exposed in profiles |
+| **Comments** | Thorough header blocks and inline comments explaining design decisions |
+| **Dependencies** | Minimal and up-to-date (MCP SDK, Supabase, Express v5, Zod) |
+| **Handle validation** | Correctly enforced with regex `/^[a-z0-9_]+$/` |
+| **Git hygiene** | `.env` properly in `.gitignore`, never committed to history |
+
+---
+
+## Recommended Priority
+
+### Immediate
+- [ ] **C1** — Remove hardcoded credentials from `supabase.ts`
+- [ ] **C2** — Hash OTP codes, remove `_debug_code` from response
+- [ ] **C3** — Implement verification token validation in `merge_profiles`
+
+### High Priority
+- [ ] **M1** — Add rate limiting (at least on XP-generating tools)
+- [ ] **M2** — Move quest/bonus XP ledger writes to Postgres RPC
+- [ ] **M3** — Add privacy filter to leaderboard queries
+- [ ] **M4** — Make XP deposit deduction atomic
+
+### Medium Priority
+- [ ] **m1** — Fix N+1 queries in leaderboards and agent listings
+- [ ] **m2** — Add max array size limits to schemas
+- [ ] **m4** — Sanitize username field
+- [ ] **m6** — Set up test framework and write core flow tests
+
+### Low Priority
+- [ ] **m3** — Replace SELECT * with explicit column lists
+- [ ] **m5** — Validate PORT env var
+- [ ] **m7** — Add metadata size limits

package/LICENSE

@@ -0,0 +1,64 @@
+Business Source License 1.1
+
+Parameters
+
+Licensor:             Ken (klexian)
+Licensed Work:        Level-Up MCP Server
+                      The Licensed Work is (c) 2026 Ken (klexian)
+Additional Use Grant: You may use the Licensed Work for any purpose, including
+                      production use, EXCEPT for offering a competing
+                      gamification-as-a-service product. A "competing product"
+                      means any product or service that provides XP tracking,
+                      leveling, skill progression, or quest/achievement systems
+                      for AI agents or human-agent collaboration as its primary
+                      function.
+Change Date:          March 13, 2030
+Change License:       Apache License, Version 2.0
+
+For information about alternative licensing arrangements for the Licensed Work,
+please contact the Licensor.
+
+Notice
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited production
+use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under the
+terms of the Change License, and the rights granted in the paragraph above
+terminate.
+
+If your use of the Licensed Work does not comply with the requirements currently
+in effect as described in this License, you must purchase a commercial license
+from the Licensor, its affiliated entities, or authorized resellers, or you must
+refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of
+the Licensed Work, are subject to this License. This License applies separately
+for each version of the Licensed Work and the Change Date may vary for each
+version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy of
+the Licensed Work. If you receive the Licensed Work in original or modified form
+from a third party, the terms and conditions set forth in this License apply to
+your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other versions
+of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of Licensor
+or its affiliates (provided that you may use a trademark or logo of Licensor as
+expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN
+"AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS
+OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.