NMKR Studio is open-source

NMKR Studio, our comprehensive NFT management platform for the Cardano blockchain, is now fully open source under the MIT License.

NMKR Studio is Now Open Source

What This Means

NMKR Studio's complete codebase is now available to the community, including our full-stack web application built with .NET 8.0, C#, and Blazor. This includes all core components: the main UI, REST API, background processing services, Cardano CLI integration, shared libraries, and complete database schema.

Why We Went Open Source

Our decision to open source NMKR Studio reflects our commitment to the Cardano ecosystem and open development principles:

Foster Innovation: Enable developers to build upon and extend our platform
Build Trust: Provide complete transparency through public code review
Strengthen Security: Allow community security audits and vulnerability reporting
Enable Self-Hosting: Give developers full control over their NFT infrastructure
Support Education: Serve as a reference implementation for NFT platforms
Grow Community: Encourage collaboration and contributions from Cardano developers

NMKR Studio's open source release fulfills our commitment to transparent development and marks an important milestone in our journey to empower the Cardano NFT ecosystem

Get Started

Ready to explore, contribute, or deploy your own instance? Our codebase includes comprehensive documentation, configuration templates, and deployment guides to get you started quickly.

Repository: github.com/nmkr-studio/nmkr-studio License: MIT License Documentation: Complete setup and contribution guides included

What's Included

Full Application Stack: Complete .NET 8.0 web application with Blazor UI
REST API: Comprehensive API with v1 and v2 endpoints
Background Services: Blockchain processing and transaction monitoring
Database Schema: Complete MySQL database structure
Configuration Templates: Ready-to-use configuration examples
Documentation: Detailed setup, deployment, and contribution guides

Security & Privacy First

We've taken extensive security measures in our open source release, conducting comprehensive audits to ensure no sensitive data, credentials, or production infrastructure details are exposed. The codebase includes all security frameworks while requiring you to provide your own credentials and configuration.

Join the Community

Whether you're looking to contribute code, report bugs, suggest features, or simply explore how a modern NFT platform works, we welcome you to join our growing open source community. Check out our contribution guidelines and help us build the future of NFT infrastructure on Cardano.

NMKR Studio Open-Source Process Documentation

Date: October 9, 2025 Version: 1.0 Status: Initial Open-Source Release Contact: [email protected]

Overview

This document provides complete transparency about the open-sourcing process for NMKR Studio, including security measures, included components, exclusions, and deployment requirements. The project was open-sourced to enable community contribution, demonstrate transparency in the Cardano ecosystem, and fulfill Catalyst Project 1000091 Milestone 5 requirements.

Purpose and Motivation

Primary Goals

Community Contribution: Enable developer contributions and feature improvements
Transparency: Demonstrate commitment to open development in Cardano ecosystem
Education: Provide reference implementation for NFT management platforms
Collaboration: Foster innovation through community-driven development
Trust Building: Allow security audits and public code review
Catalyst Compliance: Fulfill Project 1000091 Milestone 5 requirements

Pre-Release Preparation Process

Comprehensive security audit of all 940+ files
Complete credential removal and sanitization
Git history cleanup with repository reinitialization
Comprehensive documentation creation
Open-source license research and selection

Open-Source Release Scope

Core Application Components Included

NMKR.Pro (Main Application)

Complete Blazor-based user interface
All UI components, pages, and layouts
Client-side logic and state management
Blazor component architecture

NMKR.Api (REST API)

Full REST API implementation (v1 and v2)
All controller logic and business rules
API validation and authentication framework
Rate limiting configuration structure

NMKR.BackgroundService (Processing Engine)

Complete background processing service
Hosted services for blockchain operations
Minting and burning workflow implementations
Transaction monitoring services
Address checking and validation logic

NMKR.CardanoCliApi (Blockchain Interface)

Cardano CLI wrapper and integration layer
Transaction building utilities
Complete blockchain interaction logic

Shared Libraries Included

NMKR.Shared (Core Functionality)

Complete database models and Entity Framework context
Shared business logic across all services
Utility functions and helper classes
Blockchain-specific functions (Cardano, Solana, Aptos)
Configuration class structures and templates

NMKR.RazorSharedClassLibrary (UI Components)

Reusable Blazor UI components
Modal windows and dialog systems
Form components and validation helpers
Shared helper components

NMKR.SimpleExec (Command Execution)

Process execution utilities
Simple-Exec library integration wrapper

Database and Configuration

Complete Database Schema

Full MySQL database structure (defaultdb.sql)
All table definitions, relationships, and indexes
Views and stored procedures
Note: Schema only - no actual production data

Configuration Templates

Complete configuration file templates for all services:

settings.yaml (production template)
settings.preprod.yaml (pre-production template)
appsettings.json (ASP.NET Core settings)
appsettings.Development.json (development settings)

Important: All templates contain empty values - no actual credentials included

Excluded Components and Information

Credentials and Secrets Removed

Database Credentials

MySQL connection strings and passwords
PostgreSQL connection strings (DbSync integration)
Database server hostnames and ports
User credentials for all database systems

External Service Credentials

Blockfrost API: Mainnet and testnet API keys
Koios API: Access credentials and endpoints
Maestro API: Cardano and Bitcoin API keys
Iagon Storage: API keys and access tokens
Helios RPC: API keys and connection details
AWS Services: SES email service credentials
Redis: Server addresses, ports, and passwords
RabbitMQ: Connection strings and authentication
Solana RPC: API endpoints with credentials
Aptos API: Access credentials and endpoints

Third-Party Service Keys

Google reCAPTCHA: Site keys and secret keys
MessageBird: SMS service access keys
Yota SDK: SDK identifiers and keys
Mailerlite: API keys and group identifiers
Rebex: Software license keys

Security and Encryption Keys

RSA private keys (replaced with YOUR_RSA_PRIVATE_KEY_HERE)
Master encryption passwords
Two-factor authentication secrets
JWT signing keys and certificates

Infrastructure Details Excluded

Production Infrastructure

DigitalOcean and AWS server hostnames
Internal IP addresses and network configurations
SFTP server credentials and endpoints
Production deployment configurations
Monitoring and telemetry endpoints

Business and User Data

Customer information (none in codebase)
User transaction histories (none in codebase)
API usage statistics and analytics
Production metrics and configurations

Exclusion Rationale

Security Protection: Prevents compromise of live NMKR Studio platform Privacy Compliance: Maintains customer and business data confidentiality Operational Integrity: Prevents attacks on production infrastructure Legal Compliance: Respects third-party service terms of service

Security Audit and Measures

Comprehensive Security Audit Process

Automated Security Scanning

Scanned 940+ files for sensitive data
Pattern matching for multiple credential formats:
- API keys (various patterns and formats)
- Passwords and secret strings
- Database connection strings
- Private keys and certificates
- AWS access keys and tokens

Manual Security Review

Critical files manually reviewed for context-specific issues
Code comments checked for sensitive information
Configuration files individually sanitized
Documentation reviewed for inadvertent disclosures

Credential Sanitization Process

Configuration File Sanitization

YAML files: All credential values set to empty strings
JSON files: All secret values removed or templated
Source code: Hardcoded credentials replaced with configuration references
Comments: Sensitive information in comments removed

Git History Protection

Complete removal of .git directory
Fresh git init to eliminate historical commits
Zero commits containing sensitive data in new repository

Security Framework Preservation

Authentication and Authorization

The codebase includes complete security frameworks:

API key validation system (ApiKeyValidator.cs)
Rate limiting configuration and implementation
IP-based access restriction mechanisms
Role-based authorization systems

Encryption Infrastructure

Encryption functionality preserved with configuration requirements:

Master password encryption framework
Policy key encryption/decryption systems
Secure data handling utilities

Deployment Requirements

Required Infrastructure Services

Core Database Systems

MySQL Server: Main application database
PostgreSQL Server: Cardano DbSync integration
Redis Server: Caching and session management
RabbitMQ: Message queuing and background processing

Blockchain Infrastructure

Cardano Node: Direct blockchain interaction
IPFS Node: Metadata and asset storage
Cardano DbSync: Blockchain data synchronization (optional but recommended)

Required External Service Accounts

Blockchain APIs

Blockfrost: Primary Cardano blockchain API service
Koios: Alternative Cardano blockchain API
Maestro: Cardano infrastructure and analytics API

Supporting Services

AWS SES: Email notification delivery
Google reCAPTCHA: Bot protection and security
MessageBird: SMS notifications (optional)

Configuration Implementation

Service Configuration Files

Each service requires populated settings.yaml:

yaml

# Database Configuration
ConnectionString: <your-mysql-connection-string>
PostgresConnectionString: <your-postgres-connection-string>

# Redis Configuration
Redis:
  Server: <your-redis-server>
  Password: <your-redis-password>

# Blockchain API Keys
BlockfrostApikey: <your-blockfrost-key>
KoiosApiKey: <your-koios-key>
MaestroApiKey: <your-maestro-key>

# Security Keys
MasterPassword: <your-master-encryption-password>
RsaPrivateKey: <your-rsa-private-key>

Environment-Specific Configuration

Development: settings.yaml with local services
Pre-production: settings.preprod.yaml with staging services
Production: settings.yaml with production credentials

See project README.md for complete configuration instructions.

Contribution Guidelines

Accepted Contributions

Code Improvements

Bug fixes and stability improvements
Feature enhancements and new capabilities
Performance optimizations
Code quality improvements
Test coverage expansion

Documentation

Documentation improvements and clarifications
Example implementations and tutorials
Configuration guides and best practices

Security

Security vulnerability reports (via responsible disclosure)
Security enhancement suggestions
Audit findings and recommendations

Unacceptable Contributions

Security Violations

Commits containing any credentials or secrets
Hardcoded sensitive information
Configurations with actual production data

Code Quality Issues

Unreviewed third-party dependencies
Changes that compromise security frameworks
Undocumented breaking changes
Code without appropriate documentation

Security Vulnerability Reporting

Responsible Disclosure Process

Never open public issues for security vulnerabilities
Contact privately via email: [email protected]
Provide detailed information:
- Vulnerability description
- Steps to reproduce
- Potential impact assessment
- Suggested remediation (if known)

Response Timeline

Initial acknowledgment within 48 hours
Assessment and response within 7 days
Public disclosure coordination after fix implementation

Security Best Practices for Contributors

Development Security Guidelines

Credential Management

Never commit credentials to version control
Use environment variables for all sensitive configuration
Copy configuration templates and populate locally
Add local config files to .gitignore

API Key Management

Generate your own API keys for external services
Use separate keys for development and testing
Rotate keys regularly in production environments
Monitor API key usage for unauthorized access

Local Development Security

Use secure local configuration management
Keep development databases isolated
Use HTTPS for all external API calls
Implement proper error handling without exposing sensitive data

Legal and Licensing Information

Open-Source License

Complete license terms available in LICENSE.md file in repository root.

Third-Party Dependencies

NMKR Studio incorporates various open-source libraries and dependencies:

Each dependency retains its original license
License information available in individual .csproj files
Some dependencies may require separate license compliance
See NOTICE.md for complete third-party attribution

Intellectual Property

NMKR Studio codebase licensed under MIT License
Third-party integrations subject to their respective terms
Contributors grant license rights as specified in license terms

Open-Source Timeline and Process

Implementation Timeline

October 2, 2025: Security audit and sanitization initiated
October 2-9, 2025: Comprehensive credential removal process
October 2-9, 2025: Git history cleanup and repository reinitialization
October 5-9, 2025: Documentation creation and review
October 9, 2025: Final repository preparation completed
October 9, 2025: Open-source release ready for publication

Quality Assurance Process

Multi-stage security review with automated and manual processes
Documentation completeness verification
Configuration template validation
Legal compliance review
Final security audit confirmation

Support and Contact Information

Project Maintainers

Primary Contact: [email protected]
Development Team: NMKR Studio Team
Community: GitHub Issues and Discussions

Support Channels

Technical Questions: GitHub Issues
Security Concerns: Direct email contact
General Discussion: GitHub Discussions
Documentation Issues: GitHub Issues with documentation label

Response Expectations

General Issues: Response within 3-5 business days
Security Issues: Response within 48 hours
Documentation: Response within 1 week
Community Contributions: Review within 1-2 weeks

Document Maintainer: NMKR Studio Team Last Updated: October 9, 2025

NMKR Studio Open-Source License Research

Research Date: October 9, 2025 Final Decision: MIT License Selected Document Version: 1.1

Executive Summary

This comprehensive analysis evaluated open-source licensing options for NMKR Studio, a full-stack NFT management platform for the Cardano blockchain. After analyzing six major license types, MIT License was selected to prioritize maximum community adoption, developer freedom, and ecosystem growth.

Key Recommendations by Use Case

Maximum Adoption: MIT or Apache 2.0
Prevent Competition: AGPL-3.0
Balanced Protection: GPL-3.0 or MPL-2.0
Business Protection: BSL 1.1 (transitioning to open-source)

Project Context

NMKR Studio Characteristics:

Technology stack: .NET 8.0, C#, Blazor
Components: API services, background workers, UI, shared libraries
Purpose: NFT minting, management, and marketplace platform
Target: Cardano developer community with potential commercial applications

Strategic Goals:

Foster community contribution and innovation
Build trust and transparency in the Cardano ecosystem
Enable developer self-hosting and customization
Maintain flexibility for future commercial licensing
Optionally protect against unauthorized commercial exploitation

License Analysis

1. MIT License ⭐ SELECTED

Characteristics:

Most permissive major open-source license
Allows commercial use, modification, distribution, private use
Only requires license and copyright notice inclusion
No liability or warranty provisions

Advantages:

Maximum adoption potential
Universal compatibility with other licenses
Simple and well-understood
Business-friendly with minimal restrictions
Low barrier to contribution

Disadvantages:

No protection against closed-source derivatives
No patent or trademark protection
Competitors can create proprietary versions

Best For: Projects prioritizing widespread adoption and ecosystem growth over competitive protection

2. Apache License 2.0

Characteristics:

Similar permissiveness to MIT
Explicit patent grant and trademark protection
Requires documentation of changes
Industry standard for many major projects

Advantages:

Patent protection for users
Trademark protection
Change documentation requirements
Business-friendly like MIT
Used by major enterprise projects

Disadvantages:

Slightly more complex than MIT
No copyleft protection
Still allows closed-source derivatives

Best For: Projects needing MIT-style permissiveness with added patent protection

3. GNU General Public License v3.0 (GPL-3.0)

Characteristics:

Strong copyleft license
All derivatives must remain open-source under GPL-3.0
Includes patent protection
Anti-tivoization provisions

Advantages:

Prevents closed-source derivatives
Strong community protection
Patent protection included
Well-established and understood

Disadvantages:

Reduces business adoption
License compatibility limitations
More complex requirements
May limit commercial contributions

Best For: Projects wanting to ensure all derivatives remain open-source

4. GNU Affero General Public License v3.0 (AGPL-3.0)

Characteristics:

GPL-3.0 with additional network use requirement
SaaS providers must share source code
Strongest copyleft protection available
Closes "SaaS loophole" in GPL

Advantages:

Maximum protection against proprietary SaaS versions
Prevents competitors from using code in closed platforms
Ensures even web services remain open
True copyleft for modern software deployment

Disadvantages:

Most restrictive license option
Significantly reduces business adoption
Many companies completely avoid AGPL code
Complex compliance requirements

Best For: Projects wanting to prevent competitors from creating proprietary SaaS versions

5. Mozilla Public License 2.0 (MPL-2.0)

Characteristics:

Weak copyleft at file level
Only modified MPL files must remain open-source
New files can be proprietary
Includes patent protection

Advantages:

Middle ground between permissive and copyleft
More business-friendly than GPL
Patent protection included
Allows some proprietary integration

Disadvantages:

More complex than pure permissive licenses
Less protective than strong copyleft
File-level copyleft can be confusing
Less widely understood

Best For: Projects wanting moderate protection with business flexibility

6. Business Source License (BSL) 1.1

Characteristics:

Time-delayed open-source license
Initial period with usage restrictions
Automatic conversion to permissive license after set period
Not OSI-approved open-source initially

Advantages:

Protects business interests during critical period
Guarantees eventual full open-source release
Flexible use grant definitions
Shows commitment to eventual openness

Disadvantages:

Not true open-source initially
More complex than standard licenses
May create community trust issues
Legal complexity in defining terms

Best For: Commercial projects planning eventual open-source release while protecting initial business model

License Comparison Matrix

| Feature | MIT | Apache 2.0 | GPL-3.0 | AGPL-3.0 | MPL-2.0 | BSL 1.1 |
|---------|-----|------------|---------|----------|---------|---------|
| **Permissiveness** | Very High | Very High | Low | Very Low | Medium | N/A (Time-bound) |
| **Closed-Source Derivatives** | ✅ Allowed | ✅ Allowed | ❌ Prohibited | ❌ Prohibited | ⚠️ Partial | ❌ Initially |
| **Patent Protection** | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | Varies |
| **Trademark Protection** | ❌ No | ✅ Yes | ❌ No | ❌ No | ✅ Yes | Varies |
| **SaaS Must Share Code** | ❌ No | ❌ No | ❌ No | ✅ Yes | ❌ No | ⚠️ Depends |
| **Business Friendly** | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ |
| **Community Friendly** | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐ |
| **Adoption Potential** | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ |
| **Competitive Protection** | ⭐ | ⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐ |

Final Decision Rationale

NMKR Studio selected MIT License based on the following priorities:

Primary Reasons

Maximum Adoption: Encourages widest possible adoption in Cardano ecosystem
Simplicity: Easiest license for contributors and users to understand
Business-Friendly: Enables unrestricted commercial use and integration
Community Growth: Removes barriers to contribution and collaboration
Ecosystem Alignment: Matches approach of successful blockchain projects
Universal Compatibility: Compatible with virtually all other licenses
Developer Freedom: Empowers developers to build upon NMKR Studio freely

Accepted Trade-offs

No patent protection (available in Apache 2.0)
No prevention of closed-source derivatives (available in GPL/AGPL)
No competitive protection against proprietary versions

Strategic Alignment

The MIT License choice reflects NMKR Studio's commitment to:

Community growth over competitive protection
Adoption over restriction
Simplicity over legal complexity
Innovation enablement over usage control

Implementation Checklist

Completed

✅ License selection and strategic analysis
✅ Comprehensive license research and documentation

Remaining Tasks

⏳ Create LICENSE file in repository root with MIT License text
⏳ Add license headers to all source files
⏳ Create NOTICE file with third-party dependency attributions
⏳ Update README.md with license information and MIT badge
⏳ Set GitHub repository license metadata
⏳ Consider Contributor License Agreement implementation (optional)

Legal Considerations

License Headers

All source files should include:

csharp

// Copyright (c) 2025 NMKR Studio
// Licensed under the MIT License
// See LICENSE file in the project root for full license information.

Dependency Compatibility

MIT License is compatible with most .NET ecosystem dependencies including:

MIT licensed NuGet packages (majority)
Apache 2.0 licensed Microsoft libraries
BSD licensed database drivers

Attribution Requirements

A NOTICE file must list all third-party dependencies and their respective licenses for proper attribution.

Resources

Official License Sources

MIT License: https://opensource.org/licenses/MIT
Apache 2.0: https://www.apache.org/licenses/LICENSE-2.0
GPL-3.0: https://www.gnu.org/licenses/gpl-3.0.html
AGPL-3.0: https://www.gnu.org/licenses/agpl-3.0.html
MPL-2.0: https://www.mozilla.org/MPL/2.0/
BSL 1.1: https://mariadb.com/bsl11/

Additional Tools

Choose a License: https://choosealicense.com/
SPDX License List: https://spdx.org/licenses/
GitHub License Guide: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository

PreviousTestnet API Swagger NextIntroduction - NMKR Studio API

Last updated 1 hour ago