# ADR-002: License = AGPL-3.0-or-later

## Status

Accepted

## Date

2026-05-30

## Context

pvtcoms needs a license. Investigated (SR-001) with Codex + Gemini + web research against actual repo LICENSE files and
GNU/Apple terms. Key facts:
- Signal's **SPQR and RingRTC are AGPL-3.0-only**; reusing them forces AGPL on the combined work. But they aren't needed in
  v1 (PQ handshake uses permissive `ml-kem`/`x25519-dalek`; SPQR=v2, RingRTC=v3) — so the license is a **free choice**, not forced.
- The trust-critical messenger peer group has **consolidated on AGPL-3.0** (Signal, libsignal, SimpleX, Molly, Element/Element X,
  Threema apps, Wire-server). Next tier GPL-3.0 (Session, Briar).
- **AGPL apps ship on the App Store today** (Signal, SimpleX, Molly, Element X). The historic VLC block was GPLv2; GPLv3/AGPLv3 §7
  + first-party publishing resolve it. Reusing *third-party* AGPL on iOS needs an App Store additional-permission exception
  (Signal added one).
- AGPL **§13** (network-source offer) is essentially **inert** for a serverless P2P app (no remote service the user interacts with).
- MIT/Apache-2.0 crates are **one-way compatible** as deps of an AGPL project (Apache-2.0→AGPLv3 OK).
- License is **necessary-but-not-sufficient**: reproducible builds + audits are what actually deter backdoored forks.

Gemini argued for MPL-2.0 (allows closed UI wrappers, cleaner App Store optics, no CLA). Rejected: MPL's escape hatch (closed
wrappers) is undesirable for a trust-critical app, and it gives up the strong fork-prevention + clean SPQR-reuse path. Its
valid points (DCO over CLA, reproducible builds, permissive crypto deps) are adopted independently.

## Decision

License pvtcoms's Rust core + clients under **AGPL-3.0-or-later**, with:
- an explicit **App Store additional-permission exception** (Signal's pattern) so honest forks can ship on iOS and our own
  AGPL+future-SPQR binary is cleanly distributable;
- a **DCO** (Developer Certificate of Origin), **not** a CLA, to keep community trust and avoid relicensing distrust;
- a **separate trademark policy** (name/logo distinct from the code license);
- **reproducible builds + published third-party audits + signed releases** as the real trust mechanism;
- **`cargo-deny` license allowlist** in CI (allow MIT/Apache-2.0/BSD/ISC/Zlib/Unicode/MPL-2.0; deny GPLv2-only/proprietary).

## Consequences

### Positive
- Strongest legal stance against closed/backdoored forks; aligns with the high-threat positioning and the AGPL peer group.
- Keeps the option to reuse Signal SPQR/RingRTC later (verify their App Store grant at that point).
- Ships on App Store + Google Play + F-Droid (F-Droid prefers AGPL).

### Negative
- Reduced corporate/commercial adoption (acceptable — not the target).
- If we ever vendor third-party AGPL for iOS, must confirm the App Store exception grant (a ship-blocker if absent).

### Neutral
- DCO means we don't hold consolidated copyright; for our own first-party code + our own App Store exception grant this is
  sufficient for self-distribution. Revisit if dual-licensing is ever wanted.
- Implementation tracked as SR-2026-05-30-004 (add LICENSE text, exception, DCO, trademark, cargo-deny allowlist).