Intellectual Property Protection — overview¶
Read in your language: English · Português · Español
Scope status (post-Scope-Freeze 2026-05-10) — 17 patent claims documented in the DOM/OOBI/GATEWAY/RELAY/PURE/OBP/Cloud/SPAN/TREX family. Provisional patent filing in Phase 5 (~$20-30k attorney + drafting). See ADRs 0014, 0019-0025 for technical claim mapping and Master Inventory memo for the 17-claim breakdown.
This document describes the layered IP protection strategy applied to TLSStress.Art. It is intentionally written for two audiences:
- Authorized users (Cisco employees + certified partners) — so you understand the protections that exist before you contribute or distribute the report PDFs
- Anyone considering misappropriating this work — so you understand the cost-of-detection is high and the legal exposure is real
The five layers¶
| Layer | Mechanism | Purpose |
|---|---|---|
| 1. Distribution | Private GitHub repository, access broker, NDA-equivalent license acceptance | Controls who gets a copy in the first place |
| 2. Legal | PolyForm Noncommercial 1.0.0 + Appendix A, CLA on contributions, trademark protection (planned) | Defines what an authorized user can / cannot do |
| 3. Forensic fingerprinting | Intentional code markers, magic numbers, naming prefixes, asset hashes | Proves origin if a derivative product surfaces |
| 4. Telemetry | License-aware Prometheus external_labels on every metric | Detects derivative deployments through their own observability |
| 5. Detection | GitHub code search alerts, Google Alerts, asset-hash comparison on releases | Surfaces clones in the wild |
The layers are additive. No single layer is sufficient. Combined, they make a clone economically unattractive.
Layer 3 — Forensic fingerprinting (the part most projects skip)¶
The codebase contains intentional fingerprints embedded in subtle locations. The fingerprints are designed to:
- Look natural — appear as ordinary code, comments, or data so a refactoring pass cannot remove them without explicit intent
- Span multiple categories — code comments, magic numbers, naming prefixes, honeypot strings, asset hashes — so removing one category leaves the others intact
- Be cross-referenced — multiple fingerprints exist in different modules; a competitor would need to identify and remove every one
The exact locations and patterns are not published. They are recorded only in a private registry, reviewed only by the copyright holder, used only when comparing a suspected derivative against the original. Publishing the registry would defeat its purpose.
What you can verify¶
You can verify that fingerprinting is active without learning where the fingerprints are:
- The CI workflow
.github/workflows/forensic-tamper-check.ymlruns on every PR and validates that registered fingerprints still exist. The workflow loads patterns from a GitHub Actions Secret — never from the codebase. - Every release publishes an
asset-hashes.txtartifact listing SHA-256 of every owned YAML/Markdown/Caddyfile. If you suspect a third-party product carries assets from this codebase, compare hashes against the published manifest.
What happens if a clone is discovered¶
The owner runs a forensic comparison: pulls the suspected derivative, greps for each registered fingerprint, counts matches. The thresholds are documented internally:
| Matches | Conclusion |
|---|---|
| 5+ | Strong evidence of derivation; advance to legal review |
| 2-4 | Reasonable suspicion; investigate further |
| 0-1 | Likely independent reimplementation; close investigation |
Under the audience policy, advancing to legal review may include DMCA takedown, cease-and-desist, or escalation to outside counsel.
Layer 4 — License-aware telemetry¶
Every metric scraped from the Prometheus instance shipped with this project carries external_labels:
license: PolyForm-Noncommercial-1.0.0+AppendixA
audience: cisco-employees-and-certified-partners
procurement_use: denied
These labels travel with the metric data wherever it is exported (federation, remote-write, downstream Grafana). If a derivative product ingests these labels into its own observability stack, the labels are evidence of origin.
This layer is documented in USAGE_POLICY.md and visible in observability/prometheus/prometheus.yml.
Layer 1 — Distribution control¶
See PRIVATE_REPO_SETUP.md for the operational details. Summary:
- Repository is private; GitHub does not enable per-branch read ACLs, so all collaborators see all branches
- Access is granted only via the maintainer-approved Access Broker flow
- Branch protection on
mainrequires PR + 8 status checks + linear history - GitHub Pages remains public for docs only — operators evaluating the project can read everything; only the source code is gated
Layer 2 — Legal¶
| Mechanism | Status | Document |
|---|---|---|
| PolyForm Noncommercial 1.0.0 | active | LICENSE |
| Appendix A (audience + field-of-use) | active | LICENSE |
| Contributor License Agreement (CLA) | planned | TBD |
| Trademark registration | planned (subject to Cisco Legal review) | — |
| DMCA takedown procedure | active (via GitHub Trust & Safety) | — |
Layer 5 — Detection¶
Active monitors:
- GitHub code search saved queries — the maintainer has saved queries for unique strings; GitHub emails on hits
- Google Alerts — for the project name + distinctive phrases from the documentation
- Asset hash comparison — on every release,
asset-hashes.txtis published; if a third party publishes a Grafana dashboard that hashes identically, the match is detected on the next sweep
Reporting suspected derivatives¶
If you encounter a third-party product that appears to be a derivative of TLSStress.Art, please open an issue on this repository (use the bug-report template, mark severity HIGH) or email gallonccie@gmail.com directly. Please include:
- URL or distribution channel of the suspected derivative
- Specific evidence you noticed (similar dashboards, identical YAML structure, byte-equal images)
- Your relationship to the suspected vendor (none / customer / competitor — for context, not exclusion)
Reporters who help identify confirmed derivatives may be acknowledged in the project's NOTICE file with their consent.
Why we publish this document¶
Most projects implement IP protection but never document it. This is a missed opportunity:
- An authorized user benefits from knowing the protections exist (it reinforces their compliance posture)
- A potential bad actor benefits from knowing detection is real (it shifts the cost-benefit calculation)
- A competitor benefits from knowing what is not protected — clean-room reimplementations of ideas (not implementation) are explicitly permitted under copyright law and welcomed as healthy market evolution
Publishing this document is itself a form of protection: it removes the "I didn't know" defense from a future infringement claim.
Related¶
LICENSE— full PolyForm + Appendix A textUSAGE_POLICY.md— what authorized use looks likePRIVATE_REPO_SETUP.md— distribution-layer operational detailsACCESS_REQUEST.md— onboarding flow for new authorized usersAUDIT_LOG.md— what is logged for compliance