kolm
sign in Get API key →
Spec · RS-1 · 2026-05-16

Artifact licenses, tagged in the manifest.

Every .kolm carries a license tag in its manifest. The receipt seal binds the license to the artifact, so a third party can verify the license terms have not been edited after the fact. Default is open for inference, evaluation, and redistribution-with-attribution. Authors can override with any SPDX license at compile time.

The default license

Every artifact compiled without an explicit license argument gets tagged with LicenseRef-kolm-default-1.0. This is a permissive license designed for shared registry artifacts:

LicenseRef-kolm-default-1.0

The kolm default artifact license, version 1.0. Applies to a single .kolm artifact and the recipes / evals / receipts bundled inside it. Not a software license; the kolm CLI and server code are Apache-2.0 separately.

Allows
  • Inference. Run the artifact, locally or in a hosted bridge, on any input. No restrictions on purpose.
  • Evaluation. Score, benchmark, fuzz, and audit the artifact. Publish results.
  • Redistribution with attribution. Re-publish the artifact unchanged, in or outside the kolm registry, as long as the license manifest field is preserved and you link back to the original publisher's record.
Requires
  • Preserve receipt. The 4-ring HMAC receipt chain and the seal must travel with the artifact. Stripping the receipt invalidates the license.
  • Preserve attribution. The original publisher's tenant ID and the original artifact CID must be discoverable from the redistributed copy.
Forbids
  • Re-signing without recompile. You cannot strip the receipt, modify the artifact, and re-sign with your own key. To publish a derivative, recompile from your own recipe and seed pack.
  • Removing the manifest. The manifest and its embedded license tag are part of the artifact's identity. Removing the manifest produces a non-conforming artifact that will fail offline verification (the verify subcommand, full invocation in the docs).
Effective text

Permission is granted, free of charge, to any person obtaining a copy of this artifact (the "Artifact"), to run inference on the Artifact, to evaluate the Artifact, and to redistribute the Artifact in its original form, subject to the following conditions: (1) the manifest, including the license field, must be preserved unchanged; (2) the HMAC receipt chain must accompany every copy; (3) attribution to the original publisher and original artifact content identifier (CID) must be preserved. THE ARTIFACT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE PUBLISHER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY ARISING FROM THE USE OF THE ARTIFACT.

Tagging an artifact with a different license

Pass --license <spdx-id> to kolm compile to override the default. Any SPDX license identifier is accepted; the kolm CLI does not enforce the terms but does record them in the manifest and bind them to the receipt seal.

# Apache 2.0 (most permissive of the "preserve notice" group)
$ kolm compile -t spam_classifier -d ./examples.jsonl --license Apache-2.0

# MIT (shortest "preserve notice" license)
$ kolm compile -t haiku_writer -d ./examples.jsonl --license MIT

# CC-BY 4.0 (best for non-code artifacts; clinical templates, copywriting)
$ kolm compile -t clinical_summary -d ./examples.jsonl --license CC-BY-4.0

# Proprietary (publish to a private registry only)
$ kolm compile -t internal_tool -d ./examples.jsonl --license LicenseRef-proprietary

SPDX licenses commonly used on kolm

The following licenses appear most often in the public registry. Pick the one whose terms match how you want the artifact to be used.

SPDX ID
What it permits
When to pick
LicenseRef-kolm-default-1.0
Inference, evaluation, attributed redistribution. Receipt chain must travel with the artifact. Default if no license is set.
most artifacts
Apache-2.0
Permissive. Allows commercial use, modification, distribution, patent grant. Requires license notice + state of changes if modified.
code artifacts
MIT
Shortest permissive license. Allows everything as long as the copyright + license notice are preserved. No patent clause.
utilities
CC-BY-4.0
Creative Commons Attribution. Designed for content rather than code. Allows commercial use; requires attribution.
templates, copy
CC-BY-NC-4.0
Like CC-BY but forbids commercial use. Best for research artifacts that should not be productized without contact.
research only
LicenseRef-proprietary
All rights reserved. The artifact can only be used by the publisher and their named licensees. Best for private registry deployments.
internal use

How the license is bound to the artifact

The license tag is a field in the artifact manifest:

{
  "spec": "kolm-manifest/0.2",
  "task": "redact PHI per HIPAA Safe Harbor",
  "license": {
    "id":        "LicenseRef-kolm-default-1.0",
    "name":      "kolm default artifact license (1.0)",
    "url":       "https://kolm.ai/license#artifact-default-1-0",
    "allows":    ["inference", "evaluation", "redistribution-with-attribution"],
    "requires":  ["preserve-receipt", "preserve-attribution"],
    "forbids":   []
  },
  ...
}

The manifest is hashed into the artifact CID; the CID is sealed by the 4-ring HMAC chain. Changing the license tag after the fact breaks the seal. A third party reading the artifact knows the license has not been tampered with as long as the receipt verifies.

Common questions

If I redistribute someone else's artifact, do I get to add my own license?

No. Redistribution preserves the original license. You can recompile a derivative artifact (your own recipes, your own training data), but you cannot relabel someone else's work with a different license.

Does kolm enforce these licenses?

The CLI records and verifies. It does not police. Enforcement is on the publisher and the redistributor. The CID + receipt + license chain gives you evidence to act on if a downstream use violates the terms; the rest is contract law.

Can I publish an artifact with no license at all?

No. The manifest requires a license field. The default LicenseRef-kolm-default-1.0 applies if you do not specify one. To publish under "all rights reserved", explicitly tag LicenseRef-proprietary so downstream users can tell the difference between "the author did not pick" and "the author chose to forbid".

What about training data? Does the license cover the data the artifact was trained on?

No. The license covers the compiled artifact only. Training data provenance is a separate field in the manifest (training + seeds). If your training data was licensed restrictively, you are responsible for ensuring the compiled artifact is a permitted derivative under that license. kolm compile does not check this.

Is there a SPDX-compliant license file inside the .kolm zip?

Not in v1. The manifest field is canonical. In v2 of the spec, an optional LICENSE.txt entry is being considered for compatibility with SBOM scanners that expect file-level license metadata. Track progress in the roadmap.

Specification RS-1 spec

The full artifact format spec, including the license field schema.

 Registry Browse public artifacts

Each artifact's license tag is visible in the registry listing.

 Anatomy Inside a .kolm

The seven files inside a .kolm zip and what each one carries.

 Verify Verify a .kolm

Replay the receipt seal and confirm the license has not been edited.