End User License Agreement

During the TruStacks Beta program (the “Beta Period” — see Section 8 for end-date), TruStacks grants You a non-exclusive, non-transferable, royalty-free, revocable license to:

1. Pull the Images from ghcr.io/trustacks/*.
2. Run the Images on infrastructure You control (your laptop, your private Kubernetes clusters, your cloud accounts) for the purpose of:
   • Evaluating the TruStacks product.
   • Attending or running a TruStacks workshop or design-partner trial.
   • Developing integrations, customer overlays, or contributions against the published constitution + framework packs.
3. Make local copies of the Images on Your build systems for caching and air-gapped operation, provided those copies stay within Your infrastructure.

The grant in this Section 1 is the only license to the Images this EULA provides. No other rights — express or implied — are granted.

You may NOT, without TruStacks’s prior written permission:

1. Redistribute the Images outside Your own infrastructure. This includes:
   • Republishing to a public or third-party-accessible container registry.
   • Bundling the Images into a product or distribution You make available to third parties.
   • Sharing image tarballs (e.g., docker save output) with parties outside Your organization.
2. Reverse engineer, decompile, or disassemble the Images for the purpose of building a competing product. (Reverse engineering for the purpose of interoperability, security review, or academic study is permitted; the bright line is competitive intent.)
3. Remove, alter, or obscure the OCI image annotations, the LICENSE and NOTICE files, the TruStacks trademark, or any copyright notices.
4. Use the Images in production to serve external customers or workloads. Production use is governed by a separate commercial license available at General Availability; see Section 8.
5. Use the Images to build a product that competes with TruStacks.

If You are uncertain whether a use case is permitted, contact legal@trustacks.com before proceeding. We will respond within five business days during the Beta Period.

“TruStacks”, the TruStacks logo, and the TruStacks trade dress are trademarks of TruStacks, Inc. Use of these marks is governed by the TruStacks Trademark Policy, which is incorporated into this EULA by reference.

In summary (the canonical policy at the link above governs):

• You may factually reference TruStacks in technical documentation, blog posts, or talks about Your evaluation of the product.
• You may not use the TruStacks name or logo in a way that suggests TruStacks endorses, sponsors, or is affiliated with Your product or service without our written permission.
• You may not distribute a fork or derivative work under the TruStacks name. Forks must be renamed.

The following are NOT covered by this EULA and are licensed separately:

• Constitution Rego bundle (trustacks-policy/policy/) — Apache License 2.0.
• Framework packs (trustacks-policy/frameworks/) — Apache License 2.0.
• Quickstart installation scripts (trustacks-quickstart/) — Apache License 2.0.
• Vendored third-party libraries inside the Images — each retains its upstream license. The Image SBOM (attached to each Image manifest in the container registry per Section 5) is the authoritative enumeration of these components. The Sigstore Rekor entry for each Image is the transparency-log proof that the signature was issued by the TruStacks publishing workflow; it complements the SBOM but does not replace it.

You may use, modify, and redistribute the above under their respective licenses without reference to this EULA. The bright line: anything in this list above is open source; the Images themselves are governed by this EULA.

Every Image release is signed via Sigstore keyless OIDC. The signing identity is the publishing GitHub Actions workflow at https://github.com/trustacks/trustacks-mvp/.github/workflows/publish-images.yml. Verification:

cosign verify \
  --certificate-identity-regexp \
    'https://github.com/trustacks/trustacks-mvp/.github/workflows/publish-images.yml@.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/trustacks/<image>:<version>

A failed verification indicates the Image was tampered with or did not originate from TruStacks’s publishing pipeline. Do not run an Image that fails verification. Report suspected tampering to security@trustacks.com.

SBOMs are attached to each Image manifest and queryable via:

docker buildx imagetools inspect ghcr.io/trustacks/<image>:<version> --format '{{ json .SBOM }}'

The Images are provided “AS IS”, without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement.

The Beta Period is exactly that — a Beta. The Images may contain bugs, security issues, or incomplete features. Do not deploy the Images to production workloads or in regulated environments during the Beta Period. Production-grade terms, support, and SLAs become available at General Availability under a separate commercial agreement.

To the maximum extent permitted by applicable law, in no event shall TruStacks be liable for any indirect, incidental, special, consequential, or punitive damages — including without limitation lost profits, lost data, business interruption, or cost of substitute services — arising out of or related to Your use of the Images, even if TruStacks has been advised of the possibility of such damages.

TruStacks’s aggregate liability under this EULA shall not exceed one hundred U.S. dollars ($100.00 USD) — the EULA grant is royalty-free; this cap reflects that.

The Beta Period begins on the date You first pull an Image and continues until the earlier of:

1. The TruStacks General Availability (GA) launch date. Target: April 28, 2027, the date the company-level product launches publicly with paid subscription tiers. TruStacks reserves the right to move the GA date earlier or later; the live date will be announced at https://trustacks.com at least thirty (30) days in advance.
2. Termination of this EULA per Section 9.

At GA:

• The Beta-period grant in Section 1 ends.
• Continued use of the Images requires a commercial subscription (Developer / Team / Enterprise / Enterprise+ tier) governed by a separate commercial license.
• TruStacks will provide a thirty (30)-day transition window during which the Beta grant continues while You evaluate and onboard to a commercial tier.
• The constitution Rego bundle, framework packs, and quickstart scripts remain free and Apache 2.0 — only the Images transition to commercial-license terms.

TruStacks may terminate this EULA, and the license grant in Section 1, upon written notice to You if:

1. You materially breach this EULA and do not cure the breach within fifteen (15) days after receiving written notice of the breach, in which case termination takes effect at the end of that 15-day cure period if the breach remains uncured.
2. The Beta Period ends per Section 8, in which case termination takes effect on the date specified in Section 8.
3. The breach is incurable (for example, an unauthorized public redistribution of an Image that has already occurred), in which case termination takes effect immediately upon written notice.

You may terminate this EULA at any time by ceasing to pull and run the Images and deleting all local copies in Your infrastructure.

Upon termination:

• Your right to use the Images ends immediately.
• Sections 6 (No warranty), 7 (Limitation of liability), and 11 (Governing law) survive termination.

TruStacks may update this EULA from time to time during the Beta Period. Material changes will be announced at https://trustacks.com at least thirty (30) days before they take effect. Continued use of the Images after the effective date constitutes acceptance of the updated terms.

The version number at the top of this document (currently 1.0) increments on substantive change. The canonical version-history changelog is published at https://trustacks.com/eula alongside the live EULA text. The source-of-truth Markdown for each version is maintained in a TruStacks-internal repository; a plain-language change summary accompanies every version bump on the public page so You can compare versions without repository access.

This EULA is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws principles. Any dispute arising out of or related to this EULA shall be resolved in the state or federal courts located in Wilmington, Delaware, and You consent to the personal jurisdiction of those courts.

• License clarification, custom-use questions: legal@trustacks.com
• Security reports (tampering, vulnerability disclosure): security@trustacks.com
• Trademark queries: legal@trustacks.com (see also the trademark policy)
• General product questions: hello@trustacks.com or the public Discord linked from https://trustacks.com