ownify.docs

Open source & licenses

Every third-party software package ownify runs, grouped by where it lives in the stack, with the upstream project link and its license. Commercial-use licensed throughout — no CC-BY-NC, no research-only weights, no proprietary-API lock-in in the critical path.

Last verified against the deployed stack on 2026-04-27.

Agent runtime

Runs inside each tenant’s isolated Kubernetes pod. One runtime per agent, never shared.

Package	Role	License
MicroClaw ↗	Rust agent runtime with built-in web UI, skill system, channel adapters, and memory store.	See upstream repository

LLM models (served by Fireworks.ai)

ownify only routes to commercial-use open-source weights. Full pricing + license on the pricing page.

Package	Role	License
GPT-OSS 120B ↗	OpenAI open-weights, general-purpose + cheap.	Apache 2.0
DeepSeek V3.2 ↗	Premium reasoning, strong on agents.	DeepSeek License v1 (commercial OK)
Kimi K2.5 ↗	Long-context, agent-tuned workhorse.	Modified MIT (Moonshot)
Kimi K2.6 ↗	Newest Kimi release, same long-context profile.	Modified MIT (Moonshot)
GLM 5.1 ↗	Balanced reasoning from Z.ai.	Apache 2.0 (open checkpoint)

Platform services (in the ownify cluster)

Shared infrastructure every ownify tenant relies on. Running in OVH Germany, one instance per service for the whole platform.

Package	Role	License
Zitadel ↗	Identity provider — Zitadel v3 for sign-in + OIDC. Also powers the Synapse homeserver OIDC login.	Apache 2.0
Synapse ↗	Matrix homeserver at matrix.ownify.ai. Every tenant has a per-agent bot @ownify-<slug>:ownify.ai reachable over end-to-end encrypted Matrix DMs. SSO via Zitadel.	AGPL v3
Element Web ↗	Self-hosted Matrix client at element.ownify.ai. Homeserver pre-configured to ownify.ai so users never see a homeserver picker.	AGPL v3
matrix-rust-sdk ↗	Rust Matrix client library used inside MicroClaw’s channel-matrix feature. Handles E2EE olm/megolm, cross-signing, typing notices, encrypted media.	Apache 2.0
LiteLLM ↗	Multi-provider LLM proxy. Enforces per-tenant budgets + virtual keys; ownify control plane reads spend + token counts directly from its SpendLogs table.	MIT
klaw-web gateway ↗	The single web-egress choke point for tenant agents. Wraps Firecrawl + SearxNG under one auth + rate-limit + SSRF-guard + audit layer. Source in this repo under services/klaw-web/.	Platform component (ownify)
klaw-a2a-gateway ↗	Public ingress for agent-to-agent traffic. Runs the inbound firewall stack — AAE verify, MolTrust gate, content sanitiser, rate limit, recursion depth guard, per-tool ACL — before forwarding to the tenant’s MicroClaw pod. Source under services/klaw-a2a-gateway/.	Platform component (ownify)
klaw-egress-scanner ↗	Outbound DLP scanner. Every text the agent tries to send on any channel is scanned for tokens, JWTs, PEM keys, internal paths and YAML secret signatures. Redacts or refuses before delivery. Source under services/klaw-egress-scanner/.	Platform component (ownify)
klaw-router ↗	Task-category LLM router. MicroClaw pods call it with model="klaw-auto"; a small classifier picks the right model per request from the open-weights catalog. Source under services/klaw-router/.	Platform component (ownify)
klaw-memgate ↗	Per-tenant memory access boundary. Bearer + ACL + AAE envelope verification on every memory_query / memory_upsert / list_drawers / search call. Source under memgate/.	Platform component (ownify)
Firecrawl ↗	Self-hosted HTML-to-markdown scraper with JS rendering. Backs klaw-web’s /v1/fetch and /v1/extract.	AGPL v3
SearxNG ↗	Self-hosted metasearch aggregator. Backs klaw-web’s /v1/search.	AGPL v3
Langfuse ↗	LLM observability (traces, token counts). One project per platform today.	MIT (community edition)
CloudNativePG ↗	Postgres operator — runs Postgres for control plane, Zitadel, LiteLLM, Langfuse.	Apache 2.0
PostgreSQL ↗	Primary relational database for every ownify service.	PostgreSQL License
MinIO ↗	S3-compatible object storage for documents, backups, Langfuse assets.	AGPL v3
cert-manager ↗	Per-tenant TLS certificate issuance + renewal via Let’s Encrypt.	Apache 2.0
ingress-nginx ↗	HTTP reverse-proxy in front of every public ownify subdomain.	Apache 2.0
Kubernetes ↗	Workload orchestrator — every ownify service, every tenant pod.	Apache 2.0

Control plane (Node.js server)

The tenant-provisioning, billing, and audit API surface. Runs as a single Deployment in the klaw-control-plane namespace.

Package	Role	License
Express ↗	HTTP router + middleware.	MIT
@kubernetes/client-node ↗	Official Kubernetes client — every kubectl-like operation ownify performs.	Apache 2.0
pg ↗	PostgreSQL driver for the control plane’s own database.	MIT
jose ↗	JWT / JWS / JWE signing + verification — session tokens, AAE envelopes.	MIT
stripe (SDK) ↗	Stripe API client — customers, subscriptions, checkout, webhooks.	MIT
zod ↗	Runtime schema validation for every API request body.	MIT
pino + pino-http ↗	Structured JSON logging with per-request context.	MIT

Portal (Next.js app)

The signed-in dashboard + public marketing site at ownify.ai. Server-rendered, reverse-proxies requests to each tenant’s MicroClaw pod on their subdomain.

Package	Role	License
Next.js ↗	React framework — server components, routing, build.	MIT
React + React DOM ↗	UI library.	MIT
NextAuth (Auth.js) ↗	Zitadel OIDC session handling + refresh token rotation.	ISC
http-proxy-3 ↗	HTTP + WebSocket passthrough for the per-tenant subdomain reverse proxy.	MIT

External providers (not ownify-operated)

Third-party services ownify depends on but does not run itself. Linked here so you can check their terms + privacy directly.

Package	Role	License
Fireworks.ai ↗	Serverless GPU inference for every LLM request. Zero Data Retention contract; prompts + completions are not logged or used for training.	Commercial service
Stripe ↗	Payment processing + EU VAT (Stripe Tax). Card data never touches ownify.	Commercial service
OVHcloud ↗	Managed Kubernetes + storage in OVH Germany (Frankfurt) — where ownify and your agent live.	Commercial service
Base L2 ↗	Public Ethereum L2 used to anchor per-interaction proof hashes on higher plans.	Open public blockchain
MolTrust ↗	Agent identity + trust protocol. See /trust for the full integration story.	See upstream docs

Reporting a licensing issue

If you spot a package above that shouldn’t be listed, is listed under the wrong license, or has changed license upstream — email info@dsncon.com and we’ll correct it. ownify’s licensing stance is a hard product requirement, not an afterthought.