uneven-ai 0.0.1 → 0.11.1

package/CHANGELOG.md

@@ -0,0 +1,415 @@
+# Changelog
+
+All notable changes to Uneven AI will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.7.3] - 2026-04-09
+
+### Fixed — complete audit of unreviewed modules
+
+- `external-providers.ts`: all four provider fetch calls (OpenAI, Claude, Gemini, Ollama)
+  now carry `AbortSignal.timeout(60_000)` — previously a slow or unresponsive API would
+  hang indefinitely and hold the process lock
+- `git-manager.ts`: `execAsync` now passes `{ timeout: 30_000 }` — local git operations
+  should never take more than 30 s; previously a credential prompt or locked index could
+  freeze the auto-fix pipeline
+- `pentest-security-context.ts`: `durationSecs` default was `8` (eight seconds) instead
+  of `8 * 3600` (eight hours) — a direct programmatic call to `declareScope()` without
+  an explicit duration would expire the scope almost instantly
+- `test-runner.ts`: SIGTERM is now followed by a 5 s SIGKILL fallback — Node.js or JVM
+  processes that install signal handlers can ignore SIGTERM; without SIGKILL the spawned
+  test process would outlive Uneven AI and block the terminal
+
+## [0.7.2] - 2026-04-09
+
+### Added — timeout kill switch for all blocking operations
+
+- New `src/core/timeout.ts`: `withTimeout<T>(promise, ms, label)` + `TimeoutError`
+  — races any promise against a deadline; clears the timer in both success and failure
+  paths to prevent event-loop retention
+- `bridge.ts`: `llmEmbed` (2 min), `llmInfer` (3 min), `externalInfer` (1 min) — every
+  LLM consumer inherits timeouts automatically without any per-call change
+- `data-analyst.ts`: DB connect (10 s), schema introspection (20 s), query execution
+  (30 s) — `TimeoutError` on query surfaces a user-facing hint to add a `LIMIT` clause
+- `web-scraper.ts`: added `headersTimeout: 15 s` + `bodyTimeout: 30 s` to the undici
+  `Agent` — `connectTimeout` already existed but body timeout was missing, allowing
+  slow-loris-style hangs
+
+## [0.7.1] - 2026-04-09
+
+### Added — process lock, atomic writes, throttled scanners
+
+- New `src/core/process-lock.ts`: exclusive `.uneven-ai/uneven-ai.lock` with stale PID
+  detection via `process.kill(pid, 0)` — prevents two Uneven AI instances from corrupting
+  the vector store or index state concurrently; all five heavy commands acquire the lock
+  (`watch`, `index`, `pentest`, `analyze`, `ci`) and release it in `finally`
+- `incremental-index.ts`: `save()` now writes to `.uneven-ai/index-state.tmp` then
+  renames atomically — a crash during save no longer corrupts the previous state
+- `logger/index.ts`: replaced unused `buffer: string[]` with a `writeQueue: Promise<void>`
+  — all `appendFile` calls are serialized through a promise chain, eliminating concurrent
+  write races within the same process
+- `engine.ts`: replaced two `Promise.all([8 scan tasks])` in `pentest()` with a throttled
+  worker queue (`SCAN_CONCURRENCY = 3`) — previously 8 filesystem walkers ran simultaneously
+  and could saturate I/O on slower machines
+
+## [0.7.0] - 2026-04-08
+
+### Added — license system and Pro feature gates
+
+- `src/core/license/` module: machine fingerprinting (SHA256 of platform+arch+hostname+homedir), encrypted local cache (`~/.config/uneven-ai/license.json`), offline grace period (7-day extension, max 30 days cumulative)
+- License key format: `TMR-{TIER}-{payload_b64}-{hmac}` — payload parsed locally, HMAC verified server-side
+- `uneven-ai license activate <key>` — activates key against `api.uneven-ai.dev`, caches result locally
+- `uneven-ai license status` — shows tier, seats, expiry, machine ID
+- `uneven-ai license deactivate` — removes machine from seat count
+- Pro feature gate (`src/core/license/gate.ts`): commands blocked on free tier show upgrade message and exit cleanly
+
+### Changed — Pro-only commands now require license
+
+- `uneven-ai analyze` — requires Pro
+- `uneven-ai ci` — requires Pro
+- `uneven-ai askf` — requires Pro
+- `uneven-ai pentest -m active` — requires Pro (static mode remains free)
+
+## [0.6.0] - 2026-04-08
+
+### Fixed — local model stays loaded after switching to API provider
+
+- `llm/mod.rs`: `init()` now accepts the `provider` string — local LLaMA model is only loaded when `provider == "local"`; API providers (claude, openai, gemini, ollama) skip model loading entirely
+- `llm/inference.rs`: added `unload_model()` to drop the LLaMA state from the `LLAMA` mutex and free RAM immediately
+- `lib.rs`: `init_llm_engine(provider)` passes provider to the Rust init chain; new `unload_local_model()` NAPI binding exposed for TypeScript
+- `bridge.ts`: `initLlmEngine(provider)` and `unloadLocalModel()` updated/added
+- `engine.ts`: provider resolved before `initLlmEngine()` call so it is never passed as `undefined`
+
+### Added — runtime config loader and provider-aware CLI
+
+- `src/core/config-loader.ts`: new module reads `.uneven-ai/config.json` (written by `uneven-ai init`) so all commands use the provider actually configured by the user — no more hardcoded `provider: 'local'` across commands
+- `init.ts`: writes `.uneven-ai/config.json` at the end of init so the selected provider is persisted for future commands
+- All commands (`start`, `watch`, `ask`, `askf`, `index`, `pentest`, `ci`) now call `loadConfig()` instead of hardcoding the brain
+- CLI displays the active brain after startup: `brain: claude (claude-sonnet-4-6) — API` or `brain: local (llama-3.2-1b-q8) — offline`
+- `EventType` includes new `brain-ready` event emitted after engine init
+
+### Fixed — clarified RAM requirements in README
+
+- Requirements section now split into three tables: API providers (~256 MB), Ollama (~512 MB), local brain (4-8 GB)
+- New section "Running Uneven AI via API with minimal memory" with optimized config example and tips (`chunkSize`, `maxChunks`, smaller models)
+
+## [0.5.9] - 2026-04-08
+
+### Added — `uneven-ai askf` command
+
+- New `askf <question>` command: same as `ask` but instructs the LLM to declare files using `FILE:/END_FILE` markers and writes them to the current directory
+- Parser handles 3 formats: explicit `FILE:/END_FILE` blocks, plain markers, and markdown code blocks with filename hint in first-line comment
+- Creates parent directories automatically (`mkdir -p`)
+- Prints each created file with size in KB
+- Falls back to plain answer with a hint if LLM produces no file blocks
+
+## [0.5.8] - 2026-04-08
+
+### Fixed — LLaMA inference argmax crash
+
+- `inference.rs`: candle's `quantized_llama::forward` returns `[1, vocab]` (not `[1, seq, vocab]`) — code now handles both shapes before calling argmax, preventing "dimension index -1 out of range for shape []" panic
+
+## [0.5.7] - 2026-04-08
+
+### Fixed — LLaMA tokenizer download
+
+- Changed tokenizer.json source from `meta-llama` (gated, requires HuggingFace login) to `unsloth/Llama-3.2-1B-Instruct` (public, no auth required)
+- `inference.rs`: EOS token now read from GGUF metadata (`tokenizer.ggml.eos_token_id`) before falling back to vocab lookup — correct default for LLaMA 3 is `128009` (`<|eot_id|>`)
+
+## [0.5.6] - 2026-04-08
+
+### Fixed — Release pipeline
+
+- `continue-on-error: true` on GitHub Release step — asset deletion error on re-run was blocking `npm publish`
+- `fail_on_unmatched_files: false` added to prevent false failures on asset upload
+
+## [0.5.5] - 2026-04-08
+
+### Fixed — linux-arm64 cross-compilation
+
+- Install `g++-aarch64-linux-gnu` in CI alongside `gcc-aarch64-linux-gnu` — `esaxx-rs` (C++ dependency of tokenizers) requires the C++ cross-compiler
+
+## [0.5.4] - 2026-04-08
+
+### Fixed — Windows CI
+
+- `npm test` script changed from `node_modules/.bin/jest` (bash shebang, breaks PowerShell) to `node_modules/jest/bin/jest.js` (cross-platform Node.js entry point)
+
+## [0.5.3] - 2026-04-08
+
+### Fixed — Clippy
+
+- `embeddings.rs`: removed unnecessary `m as u32` cast (already `u32`)
+- `error.rs`: removed `to_string()` method that shadowed `Display` implementation (provided by `thiserror`)
+
+## [0.5.2] - 2026-04-08
+
+### Fixed — CI/CD Pipeline
+
+- `package-lock.json` removed from `.gitignore` and committed — `npm ci` was failing on macOS/Windows runners with "lock file not found"
+- GitHub Actions updated to Node.js 24 (avoids Node.js 20 deprecation warnings)
+- `npm ci` → `npm install` in release workflow for compatibility
+
+## [0.5.1] - 2026-04-08
+
+### Added — Real LLM Engine
+
+- **Candle BERT embeddings**: real 384-dim sentence vectors via `all-MiniLM-L6-v2` (safetensors + tokenizer.json). Replaces hash-based fallback for semantic search.
+- **Candle GGUF inference**: real LLaMA 3.2 1B Q8 local inference via `candle-transformers`. Greedy decoding, configurable max-tokens.
+- **Real terminal watcher**: `tokio::process::Command` spawns dev server, `tokio::sync::mpsc` channel streams stdout + stderr concurrently to TypeScript layer.
+- **Real external providers**: `OpenAI`, `Anthropic Claude`, `Google Gemini`, `Ollama` — all use native Node.js `fetch` (no extra SDK packages required).
+- **Interactive `uneven-ai init`**: prompts provider choice (1–5), downloads embedding model (~90 MB) and optionally LLaMA 3.2 1B Q8 (~1.4 GB) from HuggingFace with progress bars.
+- **`uneven-ai watch <cmd>`**: command now fully wired to Uneven AI engine (was a no-op stub).
+- `FileWatcher` class exported from public API for programmatic use.
+
+### Fixed
+
+- `retrieval/mod.rs`: removed hardcoded 1024-dim assertion — now compatible with 384-dim BERT vectors.
+- `port_scanner.rs`: removed unused `ToSocketAddrs` import.
+- `error_parser.rs`: removed unused `Uneven AIError` import.
+- Brain providers table in docs: removed incorrect `openai`/`@anthropic-ai/sdk`/`@google/generative-ai` package requirements.
+
+### Changed
+
+- Embedding dimension: 1024 → **384** (all-MiniLM-L6-v2 output size).
+- Local model name: `llama3.2` → `llama-3.2-1b-q8` (matches GGUF filename).
+- Rust `llm` feature enabled by default (`default = ["llm"]`).
+- `crate-type = ["cdylib", "rlib"]` — enables both Node.js addon and Rust library builds.
+
+## [0.5.0] - 2026-04-08
+
+### Breaking — Full ESM Migration
+
+- Package is now native ESM (`"type": "module"` in `package.json`)
+- Module resolution upgraded to `NodeNext` (TypeScript `module + moduleResolution: NodeNext`)
+- All relative imports now carry explicit `.js` extensions as required by Node.js ESM
+- `dist/` output is now ES module format — drop-in CommonJS compatibility removed
+- Consumers must use `import` syntax (or dynamic `import()` for CJS interop)
+
+### Changed — Module Resolution
+
+- `tsconfig.json`: `module` and `moduleResolution` upgraded from `"node"` (deprecated) to `"NodeNext"` — the most modern TypeScript setting available as of 2026
+- `src/core/bridge.ts`: uses `createRequire(import.meta.url)` to load `.node` native addon (native addons are inherently CommonJS and cannot be dynamically imported)
+- `src/cli/index.ts`: replaced `__dirname` with `dirname(fileURLToPath(import.meta.url))` for ESM compatibility
+
+### Changed — Scripts and Config
+
+- `scripts/postinstall.js` → `scripts/postinstall.cjs` (stays CJS; runs before `"type": "module"` kicks in)
+- `scripts/copy-prebuild.js` → `scripts/copy-prebuild.cjs` (same reason)
+- `jest.config.js` → `jest.config.cjs` with `ts-jest/presets/default-esm` preset
+- Test runner: `node --experimental-vm-modules node_modules/.bin/jest`
+
+### Changed — File Watcher
+
+- Replaced `inotify` (Linux-only, unmaintained, broken on Node 25+) with `chokidar` v5
+- `src/core/file-watcher.ts`: new `FileWatcher` class — cross-platform, pure TypeScript, no native addons
+- New event types added to `EventType`: `file-changed`, `file-added`, `file-removed`
+
+### Changed — Rust Dependencies (all latest as of 2026)
+
+- `napi` 2 → 3, `napi-derive` 2 → 3 (breaking: `Object` lifetime, `create_object()` removed, use `#[napi(object)]` struct)
+- `thiserror` 1 → 2
+- `similar` 2 → 3
+- `candle-core`, `candle-transformers` → 0.10
+- `tokenizers` → 0.22
+- `reqwest` 0.12 → 0.13
+- Rust watcher: cross-platform `shell_command()` helper (`sh -c` on Unix, `cmd /C` on Windows)
+
+### Added — GitHub Actions Release Pipeline
+
+- `.github/workflows/release.yml`: 3-gate pipeline
+  - **Gate 1 — test**: runs on ubuntu, macos, windows in parallel
+  - **Gate 2 — build-native**: compiles `.node` binaries for 5 targets (linux-x64, linux-arm64, darwin-x64, darwin-arm64, win32-x64) via cross-compilation
+  - **Gate 3 — publish**: creates GitHub Release + uploads all binaries + publishes to npm
+- `.github/workflows/build.yml`: simplified to `workflow_dispatch` only with artifact verification
+
+### Fixed — Tests
+
+- `data-security-context.test.ts`: bcrypt regex `.{53}` → `.{20,}` (test hash was 45 chars, not exactly 53)
+- `pentest-security-context.test.ts`: scope duration unit changed from hours to seconds (`durationSecs`), so `0.0001` = 0.1ms (expires in test window) and `8` = 8s (safe during test run)
+- `data-analyst-safe-query.test.ts`: `PRAGMA` now allowed in safe-query regex; lookahead fixed (was lowercase, normalized string is uppercase)
+
+### Documentation
+
+- `llms.txt` + `llms-full.txt`: added dependency policy — always use latest library versions, no legacy packages
+- Version tables for both npm and Rust crates pinned to 2026 latest
+
+## [0.4.0] - 2026-04-11
+
+### Added — Data Analyst
+
+- `uneven-ai analyze --db <url>` — interactive REPL for AI-powered data analysis
+- Natural language → SQL generation via local LLM (grounded in real schema)
+- Human approval gate: `[A]pprove / [E]dit / [S]kip` before every query executes
+- Schema introspection for PostgreSQL, MySQL, SQLite, MongoDB
+- Excel export (`.xlsx`) with dark blue headers, alternating rows, auto-filter, auto-fit columns
+- HTML dashboard generation with Chart.js — auto-detects chart type (line, bar, doughnut, scatter, table)
+- Combined workbook: all session queries merged into a single Excel file at session end
+- `--package-exe` flag: packages HTML dashboard as a self-contained Windows `.exe` via `pkg`
+  - Fully offline — Chart.js inlined from local cache
+  - HTTP server on `127.0.0.1` only (not network-accessible)
+  - Security headers: `Content-Security-Policy: connect-src 'none'`, `X-Frame-Options: DENY`
+  - Targets: win-x64, win-arm64, macos-x64, macos-arm64, linux-x64
+
+### Added — Data Security Context (3-layer defense)
+
+- **Layer 1 — Schema Filter**: removes blocked tables and columns before LLM generates SQL
+- **Layer 2 — SQL Audit**: blocks DML/DDL (`INSERT`, `UPDATE`, `DELETE`, `DROP`, `GRANT`, `EXEC`) and references to sensitive tables/columns
+- **Layer 3 — Result Masking**: redacts sensitive values by column name patterns and value regex (bcrypt, argon2, JWT, AWS keys, CPF, private keys)
+- Default policy blocks 42 column patterns (passwords, tokens, API keys, CPF, CVV, etc.) and 11 table patterns (sessions, oauth_tokens, audit_logs, etc.)
+- `SECURITY_BLOCKED` escape hatch — LLM signals when requested data falls outside security policy
+- `buildPromptRules()` — injects security constraints into every LLM prompt
+- Custom policy extension: `new DataSecurityContext({ blockedColumns: [...], blockedTables: [...] })`
+- Exported `isSafeQuery(sql)` — pure function, safe to use anywhere
+
+### Added — Malware Scanner
+
+- `uneven-ai scan` — scans project files and dependencies for malicious code
+- Static rule engine: 8 categories with confidence scores
+  - `remote-shell` (critical) — `/dev/tcp`, `nc -e`, `bash -i >&`
+  - `data-exfiltration` (high) — credential harvesting + network upload patterns
+  - `obfuscation` (high) — `eval(atob())`, `eval(Buffer.from(..., 'base64'))`, large `String.fromCharCode` arrays
+  - `supply-chain` (critical) — network download in postinstall scripts
+  - `credential-theft` (high) — reading SSH keys, `/etc/passwd`, `~/.aws/credentials`
+  - `persistence` (high) — writing crontab, systemd units, shell profile modification
+  - `crypto-mining` (high) — stratum+tcp URLs, xmrig/cryptonight references
+  - `typosquatting` (medium) — Levenshtein distance ≤2 against 50 popular packages
+- Dependency audit: scans `package.json` dependencies and `node_modules` postinstall hooks
+- LLM evaluation for ambiguous patterns (local model, no cloud)
+- Risk level: `none | low | medium | high | critical`
+- `--report` flag: HTML + Markdown report via SecurityReporter
+- `--json` flag: raw JSON output for CI integration
+- Exit code 1 on critical/high findings
+
+### Added — Pentest Security Context
+
+- `PentestSecurityContext` — authorization scope enforcement for active testing
+- `declareScope(authorizedBy, targets, allowedModes, durationHours)` — creates signed scope file
+- SHA-256 integrity check on scope file — tampering detected on next load
+- Scope expiry — automatically invalidated after declared duration
+- `checkTarget(ip | hostname | cidr)` — CIDR matching, blocks public internet IPs without authorization
+- `checkCommand(cmd)` — blocks DoS tools (`hping3 --flood`, `slowloris`, `loic`, `hoic`, `slowhttptest`), mass scans (`/16`+), destructive flags (`--dump-all`), exfiltration
+- `buildPromptConstraints(mode)` — injects scope + FORBIDDEN rules into LLM system prompt
+- Interactive `--declare-scope` in CLI with `I AUTHORIZE` confirmation prompt
+- Scope status shown before any active test run
+
+### Added — CI/CD Command
+
+- `uneven-ai ci` — headless pipeline (TypeScript typecheck → security scan → test suite)
+- Exit code 0 = pass, 1 = fail (CI-compatible)
+- Flags: `--skip-security`, `--skip-tests`, `--strict-security`, `--github`, `--output <path>`
+- Writes `ci-summary.json` to `.uneven-ai/` with step results and timestamps
+- GitHub Actions integration: writes to `$GITHUB_STEP_SUMMARY` when `--github` flag is set
+
+### Added — Retrieval-Augmented Fix (RAF)
+
+- Error fixes are now grounded in the indexed knowledge base before pattern-match fallback
+- `KnowledgeRetriever` — semantic vector search with similarity threshold 0.60
+- `buildErrorQuery()` — constructs optimized search query from error code, message, language, and context
+- `suggestRAFFix()` — structured LLM prompt with KB context, returns `null` on `INSUFFICIENT_CONTEXT`
+- `buildContextOnlySuggestion()` — KB-grounded suggestion without LLM inference (confidence ≤ 0.70)
+- Fix suggestions extended with `groundedInKB` and `kbSources` fields
+- Anti-hallucination: LLM only sees schema/chunks that were actually retrieved; out-of-scope requests return `INSUFFICIENT_CONTEXT`
+
+### Added — Multi-Language Error Parsing
+
+- Go error parser: `file.go:line:col: message` — codes GO_UNDEF, GO_SYNTAX, GO_TYPE
+- Java error parser: javac compile errors + `Exception in thread` runtime stack traces
+- PHP error parser: Fatal/Parse errors, Warnings, Notices from PHP CLI output
+- Ruby error parser: `file.rb:line:in 'method': message (ExceptionClass)` + syntax errors
+- Language-specific fix suggestions: `suggestGoFix`, `suggestJavaFix`, `suggestPHPFix`, `suggestRubyFix`
+- All parsers return `ParsedError[]` with consistent schema
+
+### Added — Security Report Generator
+
+- `SecurityReporter` — generates HTML and Markdown reports from `SecurityFinding[]`
+- HTML: severity-colored badges (red/orange/yellow/blue), summary cards, remediation section
+- `uneven-ai pentest --report [md|html|both]`
+- Findings collection via `pentest-finding` events during test run
+
+### Added — Test Suite
+
+- Jest + ts-jest configuration with native bridge mocked (bridge unavailable → graceful degradation)
+- `__tests__/__mocks__/bridge.ts` — all napi exports stubbed
+- `__tests__/error-parser.test.ts` — 20 tests (TS, Go, Java, PHP, Ruby, Python)
+- `__tests__/data-security-context.test.ts` — 25 tests (schema filter, SQL audit, result masking, custom policy)
+- `__tests__/pentest-security-context.test.ts` — 22 tests (scope lifecycle, target validation, command safety, prompt constraints)
+- `__tests__/data-analyst-safe-query.test.ts` — 20 tests (`isSafeQuery` allowed/blocked SQL patterns)
+- `__tests__/knowledge-retriever.test.ts` — 12 tests (query builder, graceful degradation)
+- `__tests__/malware-scanner.test.ts` — 15 tests (clean files, obfuscation, reverse shell, mining, persistence, typosquatting, supply chain, risk levels)
+
+---
+
+## [0.3.0] - 2026-03-15
+
+### Added — Knowledge Indexing
+
+- File/directory recursive indexing with text extraction
+- Document chunking (500 tokens per chunk, 100-token overlap)
+- Database connectors: PostgreSQL, MySQL, SQLite, MongoDB
+- URL fetching and HTML scraping via undici + cheerio
+- PDF and DOCX parsing via pdf-parse, mammoth
+- Incremental indexing — only re-indexes changed files
+- `FileLoader`, `DatabaseLoader`, `WebScraper` classes
+- `uneven-ai index --incremental` flag
+
+### Added — Snapshot & Git Manager
+
+- `.uneven-ai/snapshots/` — file snapshots before each auto-fix
+- Git integration: creates commit after each applied fix (optional)
+- Rollback: `uneven-ai reset --snapshot <id>`
+
+### Added — Test Runner Integration
+
+- `uneven-ai watch --run-tests` — runs test suite after each auto-fix
+- Fix reverted automatically if tests fail after application
+
+---
+
+## [0.2.0] - 2026-02-15
+
+### Added — LLM Inference + Vector Store
+
+- Local LLM inference via Candle (LLaMA 3.2 1B Q8)
+- Embedding generation (1024-dimensional, L2 normalized)
+- Vector store via usearch HNSW index — persists to `.uneven-ai/vectors.usearch`
+- napi-rs exports: `llmEmbed`, `llmInfer`, `retrievalSearch`, `initLlmEngine`
+- TypeScript bridge: `llmEmbed()`, `llmInfer()`, `retrievalSearch()` functions
+- `uneven-ai ask` — semantic knowledge base query via CLI
+
+### Added — Terminal Watcher + Auto-Fix
+
+- Process spawning via tokio with stdout/stderr capture
+- Error parser: TypeScript/JavaScript, Python, Rust compiler errors
+- Auto-fix engine with surgical diff application
+- `FixSuggestion` with confidence score, explanation, before/after code
+- Structured logging to `.uneven-ai/log.md`
+
+---
+
+## [0.1.0] - 2026-01-15
+
+### Added — Project Scaffold
+
+- Rust workspace with napi-rs bridge structure
+- TypeScript public API (`Uneven AI` class)
+- CLI framework with `init`, `start`, `watch`, `index`, `ask`, `pentest`, `log`, `reset` commands
+- Configuration system (`uneven-ai.config.ts`) with cosmiconfig loader
+- Logger with Markdown output
+- Type definitions for all interfaces (`BrainConfig`, `PentesterConfig`, etc.)
+- Error handling foundation
+- Module structure for all features
+- Documentation: README, CONTRIBUTING, LICENSE (BSL 1.1), llms.txt, llms-full.txt
+- Postinstall script for model downloading
+
+---
+
+## Contributing
+
+See [CONTRIBUTING.md](./CONTRIBUTING.md)
+
+## License
+
+Business Source License 1.1 — See [LICENSE](./LICENSE)

package/LICENSE

@@ -0,0 +1,40 @@
+Business Source License 1.1
+
+Licensor:             KR Riley Soluções
+Licensed Work:        Uneven AI
+Additional Use Grant: Personal, educational and non-commercial use is free.
+Change Date:          2029-01-01
+Change License:       Apache License 2.0
+
+Use Limitation: Production commercial use — including SaaS products,
+paid services, internal company use and client projects — requires
+a commercial license from KR Riley Soluções.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+For questions about commercial licensing, please contact:
+contato@rileysolucoes.com.br
+
+---
+
+BUSINESS SOURCE LICENSE 1.1 SUMMARY:
+
+What's free?
+✅ Personal projects
+✅ Learning and studying the code
+✅ Non-commercial forks
+✅ Contributing to the project
+
+What requires a license?
+❌ Commercial production use (SaaS, paid services, internal company use)
+
+Automatic conversion:
+- On 2029-01-01, this license converts to Apache 2.0
+- At that point, all commercial uses become freely allowed