TL;DR: All twelve Rotalabs libraries are now Apache-2.0, on both PyPI and npm. Red Queen keeps AGPL-3.0 and gains an explicit commercial licensing option. Nothing else changes: same code, same APIs, same maintainers.

Why we changed

When we released our packages in January, we licensed everything AGPL-3.0. It felt like the safe default for a small lab: strong copyleft, nobody takes the work and runs.

In practice, it mostly kept the right people out. Many companies ban AGPL dependencies outright, no exceptions, no review. If you wanted to use rotalabs-eval or rotalabs-steer at a company like that, the conversation was over before anyone looked at the code.

And the protection we were buying didn’t fit the threat. AGPL earns its keep when someone might take your product and resell it as a hosted service. Our libraries aren’t products. They’re research tools you import into your own stack. Nobody is going to host rotalabs-probe as a SaaS. We were paying the full adoption cost of AGPL and getting almost nothing back.

So we fixed it.

What changed

Every library is now Apache-2.0 on both registries. On PyPI, the Apache-2.0 versions start at: rotalabs 1.2.0, rotalabs-eval 1.2.0, rotalabs-probe 1.2.0, rotalabs-steer 1.2.0, and 1.1.0 for accel, audit, cascade, comply, context, fieldmem, graph, and verity. On npm, everything from @rotalabs/context 1.0.1, @rotalabs/rotalabs 0.1.1, and 0.0.2 for the rest.

A few things worth knowing:

  • Attribution is still required. Every package ships a NOTICE file, and Apache-2.0 obligates anyone redistributing the code to keep it, along with the copyright notices.
  • You get a patent grant. Apache-2.0 includes an explicit patent license from us to you, which MIT doesn’t. In this space, that matters.
  • Old versions stay AGPL. We can’t retroactively change what’s already published, and we wouldn’t want to. Upgrade to the versions above and you’re on Apache-2.0.

Red Queen stays AGPL

Red Queen (rotalabs-redqueen) is the exception, deliberately. It’s our adversarial testing and red-teaming engine, and it’s product-shaped in a way the libraries aren’t. It remains AGPL-3.0, and we now offer commercial licenses for teams that want to embed it in proprietary systems or run it as a hosted service. If that’s you, write to [email protected].

Also new: signed provenance on npm

While we were in there, we moved every npm package to trusted publishing. Releases are built by GitHub Actions and published keylessly with signed provenance, so you can verify that what’s on the registry actually came from our repository. No long-lived tokens anywhere in the pipeline.

Questions about any of this? [email protected].