# NMKR Studio is open-source ## NMKR Studio is Now Open Source ### What This Means NMKR Studio's complete codebase is now available to the community, including our full-stack web application built with .NET 8.0, C#, and Blazor. This includes all core components: the main UI, REST API, background processing services, Cardano CLI integration, shared libraries, and complete database schema. ### Why We Went Open Source Our decision to open source NMKR Studio reflects our commitment to the Cardano ecosystem and open development principles: * **Foster Innovation**: Enable developers to build upon and extend our platform * **Build Trust**: Provide complete transparency through public code review * **Strengthen Security**: Allow community security audits and vulnerability reporting * **Enable Self-Hosting**: Give developers full control over their NFT infrastructure * **Support Education**: Serve as a reference implementation for NFT platforms * **Grow Community**: Encourage collaboration and contributions from Cardano developers NMKR Studio's open source release fulfills our commitment to transparent development and marks an important milestone in our journey to empower the Cardano NFT ecosystem ### Get Started Ready to explore, contribute, or deploy your own instance? Our codebase includes comprehensive documentation, configuration templates, and deployment guides to get you started quickly. **Repository:** [github.com/nmkr-studio/nmkr-studio](https://github.com/nmkr-studio/nmkr-studio)\ **License:** MIT License\ **Documentation:** Complete setup and contribution guides included ### What's Included * **Full Application Stack**: Complete .NET 8.0 web application with Blazor UI * **REST API**: Comprehensive API with v1 and v2 endpoints * **Background Services**: Blockchain processing and transaction monitoring * **Database Schema**: Complete MySQL database structure * **Configuration Templates**: Ready-to-use configuration examples * **Documentation**: Detailed setup, deployment, and contribution guides ### Security & Privacy First We've taken extensive security measures in our open source release, conducting comprehensive audits to ensure no sensitive data, credentials, or production infrastructure details are exposed. The codebase includes all security frameworks while requiring you to provide your own credentials and configuration. ### Join the Community Whether you're looking to contribute code, report bugs, suggest features, or simply explore how a modern NFT platform works, we welcome you to join our growing open source community. Check out our contribution guidelines and help us build the future of NFT infrastructure on Cardano. ## NMKR Studio Open-Source Process Documentation **Date:** October 9, 2025\ **Version:** 1.0\ **Status:** Initial Open-Source Release\ **Contact:** *** ### Overview This document provides complete transparency about the open-sourcing process for NMKR Studio, including security measures, included components, exclusions, and deployment requirements. The project was open-sourced to enable community contribution, demonstrate transparency in the Cardano ecosystem, and fulfill Catalyst Project 1000091 Milestone 5 requirements. *** ### Purpose and Motivation #### Primary Goals * **Community Contribution:** Enable developer contributions and feature improvements * **Transparency:** Demonstrate commitment to open development in Cardano ecosystem * **Education:** Provide reference implementation for NFT management platforms * **Collaboration:** Foster innovation through community-driven development * **Trust Building:** Allow security audits and public code review * **Catalyst Compliance:** Fulfill Project 1000091 Milestone 5 requirements #### Pre-Release Preparation Process 1. Comprehensive security audit of all 940+ files 2. Complete credential removal and sanitization 3. Git history cleanup with repository reinitialization 4. Comprehensive documentation creation 5. Open-source license research and selection *** ### Open-Source Release Scope #### Core Application Components Included **NMKR.Pro (Main Application)** * Complete Blazor-based user interface * All UI components, pages, and layouts * Client-side logic and state management * Blazor component architecture **NMKR.Api (REST API)** * Full REST API implementation (v1 and v2) * All controller logic and business rules * API validation and authentication framework * Rate limiting configuration structure **NMKR.BackgroundService (Processing Engine)** * Complete background processing service * Hosted services for blockchain operations * Minting and burning workflow implementations * Transaction monitoring services * Address checking and validation logic **NMKR.CardanoCliApi (Blockchain Interface)** * Cardano CLI wrapper and integration layer * Transaction building utilities * Complete blockchain interaction logic #### Shared Libraries Included **NMKR.Shared (Core Functionality)** * Complete database models and Entity Framework context * Shared business logic across all services * Utility functions and helper classes * Blockchain-specific functions (Cardano, Solana, Aptos) * Configuration class structures and templates **NMKR.RazorSharedClassLibrary (UI Components)** * Reusable Blazor UI components * Modal windows and dialog systems * Form components and validation helpers * Shared helper components **NMKR.SimpleExec (Command Execution)** * Process execution utilities * Simple-Exec library integration wrapper #### Database and Configuration **Complete Database Schema** * Full MySQL database structure (`defaultdb.sql`) * All table definitions, relationships, and indexes * Views and stored procedures * **Note:** Schema only - no actual production data **Configuration Templates** Complete configuration file templates for all services: * `settings.yaml` (production template) * `settings.preprod.yaml` (pre-production template) * `appsettings.json` (ASP.NET Core settings) * `appsettings.Development.json` (development settings) **Important:** All templates contain empty values - no actual credentials included *** ### Excluded Components and Information #### Credentials and Secrets Removed **Database Credentials** * MySQL connection strings and passwords * PostgreSQL connection strings (DbSync integration) * Database server hostnames and ports * User credentials for all database systems **External Service Credentials** * **Blockfrost API:** Mainnet and testnet API keys * **Koios API:** Access credentials and endpoints * **Maestro API:** Cardano and Bitcoin API keys * **Iagon Storage:** API keys and access tokens * **Helios RPC:** API keys and connection details * **AWS Services:** SES email service credentials * **Redis:** Server addresses, ports, and passwords * **RabbitMQ:** Connection strings and authentication * **Solana RPC:** API endpoints with credentials * **Aptos API:** Access credentials and endpoints **Third-Party Service Keys** * **Google reCAPTCHA:** Site keys and secret keys * **MessageBird:** SMS service access keys * **Yota SDK:** SDK identifiers and keys * **Mailerlite:** API keys and group identifiers * **Rebex:** Software license keys **Security and Encryption Keys** * RSA private keys (replaced with `YOUR_RSA_PRIVATE_KEY_HERE`) * Master encryption passwords * Two-factor authentication secrets * JWT signing keys and certificates #### Infrastructure Details Excluded **Production Infrastructure** * DigitalOcean and AWS server hostnames * Internal IP addresses and network configurations * SFTP server credentials and endpoints * Production deployment configurations * Monitoring and telemetry endpoints **Business and User Data** * Customer information (none in codebase) * User transaction histories (none in codebase) * API usage statistics and analytics * Production metrics and configurations #### Exclusion Rationale **Security Protection:** Prevents compromise of live NMKR Studio platform **Privacy Compliance:** Maintains customer and business data confidentiality\ **Operational Integrity:** Prevents attacks on production infrastructure **Legal Compliance:** Respects third-party service terms of service *** ### Security Audit and Measures #### Comprehensive Security Audit Process **Automated Security Scanning** * Scanned 940+ files for sensitive data * Pattern matching for multiple credential formats: * API keys (various patterns and formats) * Passwords and secret strings * Database connection strings * Private keys and certificates * AWS access keys and tokens **Manual Security Review** * Critical files manually reviewed for context-specific issues * Code comments checked for sensitive information * Configuration files individually sanitized * Documentation reviewed for inadvertent disclosures #### Credential Sanitization Process **Configuration File Sanitization** * **YAML files:** All credential values set to empty strings * **JSON files:** All secret values removed or templated * **Source code:** Hardcoded credentials replaced with configuration references * **Comments:** Sensitive information in comments removed **Git History Protection** * Complete removal of `.git` directory * Fresh `git init` to eliminate historical commits * Zero commits containing sensitive data in new repository #### Security Framework Preservation **Authentication and Authorization** The codebase includes complete security frameworks: * API key validation system (`ApiKeyValidator.cs`) * Rate limiting configuration and implementation * IP-based access restriction mechanisms * Role-based authorization systems **Encryption Infrastructure** Encryption functionality preserved with configuration requirements: * Master password encryption framework * Policy key encryption/decryption systems * Secure data handling utilities *** ### Deployment Requirements #### Required Infrastructure Services **Core Database Systems** 1. **MySQL Server:** Main application database 2. **PostgreSQL Server:** Cardano DbSync integration 3. **Redis Server:** Caching and session management 4. **RabbitMQ:** Message queuing and background processing **Blockchain Infrastructure** 1. **Cardano Node:** Direct blockchain interaction 2. **IPFS Node:** Metadata and asset storage 3. **Cardano DbSync:** Blockchain data synchronization (optional but recommended) #### Required External Service Accounts **Blockchain APIs** 1. **Blockfrost:** Primary Cardano blockchain API service 2. **Koios:** Alternative Cardano blockchain API 3. **Maestro:** Cardano infrastructure and analytics API **Supporting Services** 1. **AWS SES:** Email notification delivery 2. **Google reCAPTCHA:** Bot protection and security 3. **MessageBird:** SMS notifications (optional) #### Configuration Implementation **Service Configuration Files** Each service requires populated `settings.yaml`: yaml ```yaml # Database Configuration ConnectionString: PostgresConnectionString: # Redis Configuration Redis: Server: Password: # Blockchain API Keys BlockfrostApikey: KoiosApiKey: MaestroApiKey: # Security Keys MasterPassword: RsaPrivateKey: ``` **Environment-Specific Configuration** * Development: `settings.yaml` with local services * Pre-production: `settings.preprod.yaml` with staging services * Production: `settings.yaml` with production credentials See project `README.md` for complete configuration instructions. *** ### Contribution Guidelines #### Accepted Contributions **Code Improvements** * Bug fixes and stability improvements * Feature enhancements and new capabilities * Performance optimizations * Code quality improvements * Test coverage expansion **Documentation** * Documentation improvements and clarifications * Example implementations and tutorials * Configuration guides and best practices **Security** * Security vulnerability reports (via responsible disclosure) * Security enhancement suggestions * Audit findings and recommendations #### Unacceptable Contributions **Security Violations** * Commits containing any credentials or secrets * Hardcoded sensitive information * Configurations with actual production data **Code Quality Issues** * Unreviewed third-party dependencies * Changes that compromise security frameworks * Undocumented breaking changes * Code without appropriate documentation #### Security Vulnerability Reporting **Responsible Disclosure Process** 1. **Never open public issues** for security vulnerabilities 2. **Contact privately** via email: 3. **Provide detailed information:** * Vulnerability description * Steps to reproduce * Potential impact assessment * Suggested remediation (if known) **Response Timeline** * Initial acknowledgment within 48 hours * Assessment and response within 7 days * Public disclosure coordination after fix implementation *** ### Security Best Practices for Contributors #### Development Security Guidelines **Credential Management** 1. **Never commit credentials** to version control 2. **Use environment variables** for all sensitive configuration 3. **Copy configuration templates** and populate locally 4. **Add local config files to .gitignore** **API Key Management** 1. **Generate your own API keys** for external services 2. **Use separate keys** for development and testing 3. **Rotate keys regularly** in production environments 4. **Monitor API key usage** for unauthorized access **Local Development Security** 1. **Use secure local configuration management** 2. **Keep development databases isolated** 3. **Use HTTPS for all external API calls** 4. **Implement proper error handling** without exposing sensitive data *** ### Legal and Licensing Information #### Open-Source License Complete license terms available in `LICENSE.md` file in repository root. #### Third-Party Dependencies NMKR Studio incorporates various open-source libraries and dependencies: * Each dependency retains its original license * License information available in individual `.csproj` files * Some dependencies may require separate license compliance * See `NOTICE.md` for complete third-party attribution #### Intellectual Property * NMKR Studio codebase licensed under MIT License * Third-party integrations subject to their respective terms * Contributors grant license rights as specified in license terms *** ### Open-Source Timeline and Process #### Implementation Timeline * **October 2, 2025:** Security audit and sanitization initiated * **October 2-9, 2025:** Comprehensive credential removal process * **October 2-9, 2025:** Git history cleanup and repository reinitialization * **October 5-9, 2025:** Documentation creation and review * **October 9, 2025:** Final repository preparation completed * **October 9, 2025:** Open-source release ready for publication #### Quality Assurance Process 1. **Multi-stage security review** with automated and manual processes 2. **Documentation completeness verification** 3. **Configuration template validation** 4. **Legal compliance review** 5. **Final security audit confirmation** *** ### Support and Contact Information #### Project Maintainers * **Primary Contact:** * **Development Team:** NMKR Studio Team * **Community:** GitHub Issues and Discussions #### Support Channels * **Technical Questions:** GitHub Issues * **Security Concerns:** Direct email contact * **General Discussion:** GitHub Discussions * **Documentation Issues:** GitHub Issues with documentation label #### Response Expectations * **General Issues:** Response within 3-5 business days * **Security Issues:** Response within 48 hours * **Documentation:** Response within 1 week * **Community Contributions:** Review within 1-2 weeks *** **Document Maintainer:** NMKR Studio Team\ **Last Updated:** October 9, 2025
## NMKR Studio Open-Source License Research **Research Date:** October 9, 2025\ **Final Decision:** MIT License Selected\ **Document Version:** 1.1 *** ### Executive Summary This comprehensive analysis evaluated open-source licensing options for NMKR Studio, a full-stack NFT management platform for the Cardano blockchain. After analyzing six major license types, **MIT License** was selected to prioritize maximum community adoption, developer freedom, and ecosystem growth. #### Key Recommendations by Use Case * **Maximum Adoption:** MIT or Apache 2.0 * **Prevent Competition:** AGPL-3.0 * **Balanced Protection:** GPL-3.0 or MPL-2.0 * **Business Protection:** BSL 1.1 (transitioning to open-source) *** ### Project Context **NMKR Studio Characteristics:** * Technology stack: .NET 8.0, C#, Blazor * Components: API services, background workers, UI, shared libraries * Purpose: NFT minting, management, and marketplace platform * Target: Cardano developer community with potential commercial applications **Strategic Goals:** 1. Foster community contribution and innovation 2. Build trust and transparency in the Cardano ecosystem 3. Enable developer self-hosting and customization 4. Maintain flexibility for future commercial licensing 5. Optionally protect against unauthorized commercial exploitation *** ### License Analysis #### 1. MIT License ⭐ **SELECTED** **Characteristics:** * Most permissive major open-source license * Allows commercial use, modification, distribution, private use * Only requires license and copyright notice inclusion * No liability or warranty provisions **Advantages:** * Maximum adoption potential * Universal compatibility with other licenses * Simple and well-understood * Business-friendly with minimal restrictions * Low barrier to contribution **Disadvantages:** * No protection against closed-source derivatives * No patent or trademark protection * Competitors can create proprietary versions **Best For:** Projects prioritizing widespread adoption and ecosystem growth over competitive protection *** #### 2. Apache License 2.0 **Characteristics:** * Similar permissiveness to MIT * Explicit patent grant and trademark protection * Requires documentation of changes * Industry standard for many major projects **Advantages:** * Patent protection for users * Trademark protection * Change documentation requirements * Business-friendly like MIT * Used by major enterprise projects **Disadvantages:** * Slightly more complex than MIT * No copyleft protection * Still allows closed-source derivatives **Best For:** Projects needing MIT-style permissiveness with added patent protection *** #### 3. GNU General Public License v3.0 (GPL-3.0) **Characteristics:** * Strong copyleft license * All derivatives must remain open-source under GPL-3.0 * Includes patent protection * Anti-tivoization provisions **Advantages:** * Prevents closed-source derivatives * Strong community protection * Patent protection included * Well-established and understood **Disadvantages:** * Reduces business adoption * License compatibility limitations * More complex requirements * May limit commercial contributions **Best For:** Projects wanting to ensure all derivatives remain open-source *** #### 4. GNU Affero General Public License v3.0 (AGPL-3.0) **Characteristics:** * GPL-3.0 with additional network use requirement * SaaS providers must share source code * Strongest copyleft protection available * Closes "SaaS loophole" in GPL **Advantages:** * Maximum protection against proprietary SaaS versions * Prevents competitors from using code in closed platforms * Ensures even web services remain open * True copyleft for modern software deployment **Disadvantages:** * Most restrictive license option * Significantly reduces business adoption * Many companies completely avoid AGPL code * Complex compliance requirements **Best For:** Projects wanting to prevent competitors from creating proprietary SaaS versions *** #### 5. Mozilla Public License 2.0 (MPL-2.0) **Characteristics:** * Weak copyleft at file level * Only modified MPL files must remain open-source * New files can be proprietary * Includes patent protection **Advantages:** * Middle ground between permissive and copyleft * More business-friendly than GPL * Patent protection included * Allows some proprietary integration **Disadvantages:** * More complex than pure permissive licenses * Less protective than strong copyleft * File-level copyleft can be confusing * Less widely understood **Best For:** Projects wanting moderate protection with business flexibility *** #### 6. Business Source License (BSL) 1.1 **Characteristics:** * Time-delayed open-source license * Initial period with usage restrictions * Automatic conversion to permissive license after set period * Not OSI-approved open-source initially **Advantages:** * Protects business interests during critical period * Guarantees eventual full open-source release * Flexible use grant definitions * Shows commitment to eventual openness **Disadvantages:** * Not true open-source initially * More complex than standard licenses * May create community trust issues * Legal complexity in defining terms **Best For:** Commercial projects planning eventual open-source release while protecting initial business model *** ### License Comparison Matrix ``` | Feature | MIT | Apache 2.0 | GPL-3.0 | AGPL-3.0 | MPL-2.0 | BSL 1.1 | |---------|-----|------------|---------|----------|---------|---------| | **Permissiveness** | Very High | Very High | Low | Very Low | Medium | N/A (Time-bound) | | **Closed-Source Derivatives** | ✅ Allowed | ✅ Allowed | ❌ Prohibited | ❌ Prohibited | ⚠️ Partial | ❌ Initially | | **Patent Protection** | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | Varies | | **Trademark Protection** | ❌ No | ✅ Yes | ❌ No | ❌ No | ✅ Yes | Varies | | **SaaS Must Share Code** | ❌ No | ❌ No | ❌ No | ✅ Yes | ❌ No | ⚠️ Depends | | **Business Friendly** | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | | **Community Friendly** | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐ | | **Adoption Potential** | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | | **Competitive Protection** | ⭐ | ⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐ | ``` *** ### Final Decision Rationale **NMKR Studio selected MIT License** based on the following priorities: #### Primary Reasons 1. **Maximum Adoption:** Encourages widest possible adoption in Cardano ecosystem 2. **Simplicity:** Easiest license for contributors and users to understand 3. **Business-Friendly:** Enables unrestricted commercial use and integration 4. **Community Growth:** Removes barriers to contribution and collaboration 5. **Ecosystem Alignment:** Matches approach of successful blockchain projects 6. **Universal Compatibility:** Compatible with virtually all other licenses 7. **Developer Freedom:** Empowers developers to build upon NMKR Studio freely #### Accepted Trade-offs * No patent protection (available in Apache 2.0) * No prevention of closed-source derivatives (available in GPL/AGPL) * No competitive protection against proprietary versions #### Strategic Alignment The MIT License choice reflects NMKR Studio's commitment to: * Community growth over competitive protection * Adoption over restriction * Simplicity over legal complexity * Innovation enablement over usage control *** ### Implementation Checklist #### Completed * ✅ License selection and strategic analysis * ✅ Comprehensive license research and documentation #### Remaining Tasks * ⏳ Create LICENSE file in repository root with MIT License text * ⏳ Add license headers to all source files * ⏳ Create NOTICE file with third-party dependency attributions * ⏳ Update README.md with license information and MIT badge * ⏳ Set GitHub repository license metadata * ⏳ Consider Contributor License Agreement implementation (optional) *** ### Legal Considerations #### License Headers All source files should include: csharp ```csharp // Copyright (c) 2025 NMKR Studio // Licensed under the MIT License // See LICENSE file in the project root for full license information. ``` #### Dependency Compatibility MIT License is compatible with most .NET ecosystem dependencies including: * MIT licensed NuGet packages (majority) * Apache 2.0 licensed Microsoft libraries * BSD licensed database drivers #### Attribution Requirements A NOTICE file must list all third-party dependencies and their respective licenses for proper attribution. *** ### Resources #### Official License Sources * **MIT License:** * **Apache 2.0:** * **GPL-3.0:** * **AGPL-3.0:** * **MPL-2.0:** * **BSL 1.1:** #### Additional Tools * Choose a License: * SPDX License List: * GitHub License Guide: