Licensing & governance foundation (entity name, CLA, trademark, patents)

.github/workflows/cla.yml

@@ -0,0 +1,35 @@
+# CLA Assistant — gates pull requests on signing CLA.md.
+#
+# SETUP (founder-led, one-time): create a fine-grained Personal Access Token with
+# `contents: write` on this repo and add it as the repo secret CLA_SIGNATURES_TOKEN.
+# Signatures are recorded in signatures/cla.json on the `cla-signatures` branch.
+name: CLA Assistant
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+  statuses: write
+
+jobs:
+  CLAAssistant:
+    runs-on: ubuntu-latest
+    steps:
+      - name: CLA Assistant
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_SIGNATURES_TOKEN }}
+        with:
+          path-to-signatures: 'signatures/cla.json'
+          path-to-document: 'https://github.com/capabilityhostprotocol/chp-core/blob/main/CLA.md'
+          branch: 'cla-signatures'
+          allowlist: 'dependabot[bot],bot*'
+          custom-pr-sign-comment: 'I have read the CLA Document and I hereby sign the CLA'
+          custom-notsigned-prcomment: 'Thanks for your contribution! Before we can merge, please read our [Contributor License Agreement](CLA.md) and sign it by posting the comment below.'

CLA.md

@@ -0,0 +1,82 @@
+# Contributor License Agreement (CLA)
+
+> **DRAFT — pending legal review.** This document is adapted from standard
+> open-source CLA templates (notably the Apache Individual CLA) for Project
+> Auxo, Inc. It has not yet been reviewed by counsel. Do not rely on it as
+> final legal text until that review is complete.
+
+Thank you for contributing to the Capability Host Protocol (CHP). To keep CHP
+open and re-usable for everyone — and to preserve the project's ability to
+evolve its licensing in the future — we ask every contributor to agree to this
+Contributor License Agreement ("Agreement") with **Project Auxo, Inc.** ("the
+Company"). This Agreement protects you, the Company, and all users of CHP.
+
+You retain ownership of your contributions. This Agreement only grants the
+Company the licenses described below.
+
+## 1. Definitions
+
+- **"You"** means the individual or legal entity agreeing to this Agreement.
+- **"Contribution"** means any original work of authorship — including any
+  modifications or additions to existing work — that You intentionally submit
+  to the Company for inclusion in, or documentation of, any CHP project.
+- **"Submit"** means any form of electronic, verbal, or written communication
+  sent to the Company or its projects (e.g., pull requests, issues, patches),
+  excluding anything conspicuously marked "Not a Contribution."
+
+## 2. Copyright license
+
+You grant the Company, and recipients of software distributed by the Company, a
+perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare derivative works of, publicly display,
+publicly perform, sublicense, and distribute Your Contributions and such
+derivative works.
+
+**This includes the right for the Company to license and re-license Your
+Contribution under any license terms, including both open-source licenses and
+commercial/proprietary licenses (dual licensing).** This relicensing right is
+what allows CHP to remain durable and to fund its own development.
+
+## 3. Patent license
+
+You grant the Company, and recipients of software distributed by the Company, a
+perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated below) patent license to make, have made, use, offer to sell,
+sell, import, and otherwise transfer Your Contribution, where such license
+applies only to those patent claims licensable by You that are necessarily
+infringed by Your Contribution alone or by combination of Your Contribution with
+the project to which it was submitted.
+
+If any entity institutes patent litigation against You or any other entity
+alleging that Your Contribution, or the project it was submitted to, constitutes
+direct or contributory patent infringement, then any patent licenses granted to
+that entity under this Agreement terminate as of the date such litigation is
+filed.
+
+## 4. Your representations
+
+- You represent that You are legally entitled to grant the above licenses.
+- If Your employer has rights to intellectual property You create, You represent
+  that You have received permission to make Contributions on behalf of that
+  employer, that Your employer has waived such rights, or that Your employer has
+  executed a separate Corporate CLA with the Company.
+- You represent that each Contribution is Your original creation, or that You
+  have clearly identified any third-party material (and its license) within it.
+- You are not expected to provide support for Your Contributions, and they are
+  provided "AS IS" without warranties of any kind.
+
+## 5. Corporate contributions
+
+If You are agreeing on behalf of a legal entity, "You" includes that entity and
+all entities that control, are controlled by, or are under common control with
+it. The signatory represents they are authorized to bind that entity.
+
+## How to sign
+
+Contributions are gated by an automated CLA check on pull requests. When you
+open your first pull request, a bot will ask you to read this Agreement and
+confirm your acceptance by commenting as instructed. Your GitHub identity and
+the commit history serve as the signature record.
+
+Questions: open an issue or contact the maintainers. See
+[`CONTRIBUTING.md`](CONTRIBUTING.md).

CONTRIBUTING.md

@@ -2,6 +2,21 @@
 
 CHP is early. Contributions should keep the v0.1 surface small, explicit, and testable.
 
+## Contributor License Agreement
+
+Before we can merge your contribution, you must sign the
+[Contributor License Agreement](CLA.md). You keep ownership of your work; the CLA
+lets Project Auxo, Inc. distribute and (re)license it so CHP stays durable. The
+process is automated: open a pull request and a bot will prompt you to sign by
+posting a one-line comment. You only sign once.
+
+## What's open vs. commercial
+
+This repository is the open core — Apache-2.0 (code) and CC BY 4.0 (spec/docs).
+Commercial components (the hosted evidence service, registry network, compliance
+products, and enterprise/regulated-system adapters) live in separate repositories
+and are **not** accepted here. See [`GOVERNANCE.md`](GOVERNANCE.md).
+
 ## Principles
 
 - Prefer local-first behavior over distributed assumptions.

GOVERNANCE.md

@@ -0,0 +1,50 @@
+# CHP Governance & the Open / Commercial Boundary
+
+CHP is stewarded by **Project Auxo, Inc.** ("the Company"). This document records
+how the project is licensed per-asset and — importantly — where the line sits
+between the open core and commercial work, so contributors and adopters always
+know what they're getting.
+
+## Per-asset licensing
+
+| Asset | Location | License |
+|---|---|---|
+| Specification & schemas | `spec/`, `schemas/` | CC BY 4.0 + royalty-free patent grant ([`PATENTS`](PATENTS)) |
+| Reference SDK & runtime | `packages/python`, `packages/ts-runtime`, `packages/ts-types`, `packages/chp-host` | Apache-2.0 |
+| First-party & community adapters | `packages/chp-adapter-*`, the `chp-adapter-template` repo | Apache-2.0 |
+| Conformance suite | `conformance/` | Apache-2.0 |
+| Trademarks ("CHP", "CHP-Certified") | — | Retained by the Company ([`TRADEMARK.md`](TRADEMARK.md)) |
+
+The open core is open for good: the Company does **not** intend to relicense or
+withdraw already-published Apache-2.0 or CC BY material. The CLA's relicensing
+right exists to enable *additional* licensing (e.g., dual licensing), not to
+close what is already open.
+
+## What lives here vs. elsewhere
+
+**This repository (and the other public CHP repos) is the open core.** It holds
+the protocol, the SDK, the adapters that make the protocol useful, and the
+conformance suite. Contributions here are accepted under [`CLA.md`](CLA.md).
+
+**Commercial components are developed in separate, private repositories** and are
+**not** accepted into this repo:
+
+- the hosted evidence / verification service ("the notary");
+- the cross-organization registry / trust network;
+- compliance & attestation products;
+- adapters to enterprise or regulated systems built or sold by the Company.
+
+This boundary is deliberate. It keeps the open core genuinely open and
+unencumbered, while letting the Company fund CHP's development from services and
+products layered *on top of* the protocol — never by restricting the protocol
+itself. The licensing of those commercial components (proprietary vs.
+source-available/BSL) is decided per-product and is out of scope for this repo.
+
+## Decision-making
+
+While CHP is early (v0.x), the Company maintains the specification and merges
+contributions, prioritizing a small, explicit, testable surface (see
+[`CONTRIBUTING.md`](CONTRIBUTING.md)). As the ecosystem grows we intend to open
+governance further — up to and including moving the specification to a neutral
+standards footing — once the model is stable. Optionality to do so is preserved
+by the CLA and the per-asset licensing above.

LICENSE

@@ -168,7 +168,7 @@
 
    END OF TERMS AND CONDITIONS
 
-   Copyright 2026 Auxo
+   Copyright 2026 Project Auxo, Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

LICENSE-DOCS

@@ -20,4 +20,4 @@ measures that legally restrict others from doing anything the license permits.
 
 Full license text: https://creativecommons.org/licenses/by/4.0/legalcode
 
-Copyright 2026 Auxo
+Copyright 2026 Project Auxo, Inc.

NOTICE

@@ -1,5 +1,5 @@
 Capability Host Protocol (CHP)
-Copyright 2026 Auxo
+Copyright 2026 Project Auxo, Inc.
 
 This product includes software developed by the CHP project contributors.
 
@@ -9,3 +9,10 @@ the Apache License, Version 2.0. See LICENSE for the full text.
 Specification, schemas, and documentation (spec/, docs/, schemas/) are
 licensed under the Creative Commons Attribution 4.0 International License.
 See LICENSE-DOCS for the full text.
+
+Implementing the specification is additionally covered by a royalty-free
+patent grant. See PATENTS for the full text.
+
+"Capability Host Protocol", "CHP", "CHP-Certified", and the CHP logo are
+trademarks of Project Auxo, Inc. Trademark use is governed by TRADEMARK.md
+and is NOT granted by the code or documentation licenses above.

PATENTS

@@ -0,0 +1,55 @@
+CHP Specification — Royalty-Free Patent Grant
+
+  DRAFT — pending legal review. This grant is adapted from common royalty-free
+  standards patent policies (e.g., the Open Web Foundation / W3C style). It has
+  not yet been reviewed by counsel and is not final.
+
+Purpose
+
+  The CHP specification, schemas, and documentation are licensed for copyright
+  purposes under CC BY 4.0 (see LICENSE-DOCS). Copyright permission alone does
+  not assure implementers that they may build conforming implementations free of
+  patent claims. This document adds that assurance. The intent is simple: anyone
+  may implement the CHP specification, for free, forever.
+
+Definitions
+
+  "Specification" means the version(s) of the Capability Host Protocol
+  specification and schemas published in this repository under spec/ and
+  schemas/ to which this grant is attached.
+
+  "Covered Claims" means those patent claims, owned or controlled by Project
+  Auxo, Inc., that are necessarily infringed by implementing the required
+  portions of the Specification, where "necessarily infringed" means there is no
+  commercially reasonable, non-infringing way to implement those required
+  portions. Covered Claims do NOT include claims that would be infringed only by:
+  (a) enabling technologies not required to implement the Specification;
+  (b) implementing optional portions; or
+  (c) implementation techniques, optimizations, or services not described as
+      required in the Specification (for example, a hosted evidence service,
+      anchoring/timestamping methods, or compliance products).
+
+Grant
+
+  Project Auxo, Inc. grants to every implementer a perpetual, worldwide,
+  non-exclusive, no-charge, royalty-free, irrevocable (except as stated in
+  "Defensive Termination") license under the Covered Claims to make, have made,
+  use, sell, offer for sale, import, and distribute implementations of the
+  Specification.
+
+Defensive Termination
+
+  The license granted above terminates automatically as to any person or entity
+  that initiates patent litigation (including a cross-claim or counterclaim)
+  alleging that the Specification, or any conforming implementation of it,
+  infringes a patent.
+
+Scope and reservation of rights
+
+  This grant is limited to the Covered Claims and to the published version(s) of
+  the Specification. Future versions may be accompanied by their own grants.
+  Except for the license expressly granted here, Project Auxo, Inc. reserves all
+  patent rights — including all rights in inventions that are not required to
+  implement the Specification. Contributions to the Specification are governed by
+  the patent license in CLA.md, which is intended to be consistent with this
+  grant.

README.md

@@ -162,4 +162,12 @@ Guiding rule:
 
 ## License
 
-MIT. See `LICENSE`.
+CHP is dual-licensed by asset:
+
+- **Code** (`packages/`, `conformance/`, `examples/`, `scripts/`): Apache License 2.0 — see [`LICENSE`](LICENSE).
+- **Specification, schemas & docs** (`spec/`, `schemas/`, `docs/`): Creative Commons Attribution 4.0 (CC BY 4.0) — see [`LICENSE-DOCS`](LICENSE-DOCS). Implementing the specification is additionally covered by a royalty-free patent grant — see [`PATENTS`](PATENTS).
+- **Trademarks**: "CHP" and "CHP-Certified" — see [`TRADEMARK.md`](TRADEMARK.md).
+
+Contributions are accepted under the [Contributor License Agreement](CLA.md); see [`CONTRIBUTING.md`](CONTRIBUTING.md).
+
+Copyright © 2026 Project Auxo, Inc. See [`NOTICE`](NOTICE).

TRADEMARK.md

@@ -0,0 +1,61 @@
+# CHP Trademark & Conformance-Mark Policy
+
+> **DRAFT — pending legal review.** Adapted from common open-source trademark
+> policies (e.g., the model used by CNCF/Linux Foundation projects) for Project
+> Auxo, Inc. Not yet reviewed by counsel.
+
+The names **"Capability Host Protocol"** and **"CHP"**, the CHP logo, and
+**"CHP-Certified"** (together, the "Marks") are trademarks of **Project Auxo,
+Inc.** ("the Company"). The *code* and *specification* are openly licensed (see
+[`NOTICE`](NOTICE)); the *Marks* are not — they are how users know something is
+genuinely CHP and trustworthy. This policy explains how you may use them.
+
+The guiding principle: **you may use the Marks to refer to CHP truthfully; you
+may not use them in a way that implies endorsement, certification, or origin
+that isn't real.**
+
+## You may, without asking (nominative/fair use)
+
+- State that your product "works with CHP", "implements the Capability Host
+  Protocol", or "is built on CHP" — if true.
+- Use "CHP" in prose, talks, blog posts, and documentation to refer to the
+  protocol.
+- Use the word marks in the name of a community adapter or tool in a descriptive
+  way (e.g., "a CHP adapter for Acme") — provided it does not imply official
+  origin (see below).
+
+## You may not, without written permission
+
+- Use the Marks (or confusingly similar names/logos) as the name of your product,
+  company, or service, or in a way that suggests the Company produces or endorses
+  it.
+- Use the Marks on merchandise, domains, or social accounts in a way likely to
+  cause confusion about origin.
+- Modify the logo, or use it as your own product's icon.
+- Claim or imply **certification or conformance** except as allowed below.
+
+## "CHP-Certified" and conformance claims
+
+"CHP-Certified" and "CHP-Conformant" are **certification claims** and are
+governed:
+
+- You may state that an implementation **"passes the CHP v0.x conformance
+  suite"** if it genuinely passes the suite in [`conformance/`](conformance/) at
+  the stated version, and you can show the evidence on request.
+- You may **not** use the "CHP-Certified" mark or logo until you are enrolled in
+  the certification program operated by the Company (forthcoming). Certification
+  ties the claim to a passing conformance run plus a security/quality review, so
+  that the mark means something to the people relying on it.
+
+## Adapters
+
+Naming and certification of adapters follow the tiered model in
+[`docs/adapter-strategy.md`](docs/adapter-strategy.md). In short: descriptive use
+in a community adapter's name is fine; presenting an adapter as *official* or
+*certified* requires permission/enrollment.
+
+## Questions & permission requests
+
+Open an issue or contact the maintainers. We grant reasonable requests for
+community, educational, and integration use. This policy may evolve; the spirit —
+*truthful reference yes, implied endorsement no* — will not.

docs/adapter-authoring.md

@@ -256,7 +256,7 @@ style or feature completeness. Your adapter remains fully under your control.
 
 | Scope | Package name | Entry-point key |
 |-------|-------------|-----------------|
-| Official (maintained by Auxo) | `chp-adapter-<name>` | `<name>` (e.g. `http`) |
+| Official (maintained by Project Auxo, Inc.) | `chp-adapter-<name>` | `<name>` (e.g. `http`) |
 | Community | `chp-adapter-<name>` (preferred) | `<org>.<name>` (e.g. `myorg.obsidian`) |
 
 ## See also