Open Source Strategy
What we publish, why we publish it, and what stays private.
Protocol Wealth is an SEC-registered investment adviser. We release reusable components of our compliance-aware AI substrate into two Apache 2.0 hubs so other fiduciary firms can adopt the same posture without rebuilding scaffolding from scratch. This page is the firm's canonical statement on what's in scope, what's not, and how we attribute the upstream work we build on.
Published May 28, 2026. For the plain-English companion that explains why a fiduciary RIA publishes source code and how to read it, see /opensource.
What this page is.
The canonical statement of Protocol Wealth's open-source strategy: which components we publish, how the hubs are licensed, how we attribute upstream work, our AI-governance posture as it shows up in published packages, and the boundary between what's public and what stays private. Other firms, examiners, and contributors can use it to understand the scope and intent of every PW repository under the Apache 2.0 license.
What this page is not.
A turnkey adoption guide, investment advice, a recommendation that any other firm adopt these patterns, or a support commitment. The published packages ship "as is" under Apache 2.0 / MIT and adopter firms are responsible for their own compliance, legal, and security review.
Section 1
Strategic frame
Two Apache 2.0 hubs split along language and ecosystem boundaries — one Python, one TypeScript — that absorb permissively-licensed upstream work and host PW-authored components designed for fiduciary use.
1.1 Two Apache 2.0 hubs, not three
| Hub | License | Language ecosystem | Purpose |
|---|---|---|---|
| nexus-core | Apache 2.0 + Defensive Patent Grant | Python / FastAPI / quant | Regime-adaptive financial analysis; MCP tools for scoring, regime detection, watchlists, narrative intelligence. |
| pwos-core | Apache 2.0 + Defensive Patent Grant | TypeScript / React / user-facing | Compliance-first AI OS for RIAs; chat IDE, audit trail, PII pipeline, planning UI. |
Both repos are Open Invention Network (OIN) members with patent-pending defensive
grants. Split rule: Python / FastAPI /
financial-data / quant goes to nexus-core.
TypeScript / React / user-facing / compliance goes to
pwos-core. Borderline items (MCP servers,
AI orchestration) go to the repo that owns more of the related code.
1.2 Why hubs, not fragmented per-library repos
- Both repos already have Apache 2.0 + defensive patents — structurally correct for absorbing MIT/Apache/BSD code.
- Language boundaries align naturally (Python vs TypeScript).
- Maximum attribution surface with minimum fragmentation.
- Easier discoverability — users find one OSS project, not three.
- Reduces maintenance burden for a small team.
1.4 AI-governance posture in PW-published OSS
Protocol Wealth operates a HITL Tier 2 posture: every AI-assisted output destined
for a client passes through advisor review before publication. PW ships no
autonomous client-facing AI; the underlying primitive is a fail-closed
human-in-the-loop gate (Apache-2.0, open-sourced as
@protocolwealthos/shared/hitl). PW's
published OSS packages are designed so an adopter firm can wire the same posture
into their own runtime without inheriting any PW-specific configuration.
@protocolwealthos/disclosure-card is
published as an open standard candidate
for AI-system disclosure: Zod schema + JSON Schema + CI gate. Apache 2.0. PW uses
it for its own client-facing surfaces and welcomes adopters to fork it, validate
against it, and contribute schema evolutions back. The package's status is
candidate; the firm's adoption is production-active. The npm publish event landed
May 27, 2026 (@protocolwealthos/[email protected]
+ @protocolwealthos/[email protected] under
maintainer nickrygiel;
pwos-core publishes 19 packages total
under the @protocolwealthos scope).
1.3 Positioning against existing OSS in the space
| Project | License | Our relationship |
|---|---|---|
| OpenBB | AGPL-3.0 | Data aggregation; reference architecture only — we don't absorb. The provider-abstraction pattern is the gold standard worth re-deriving. |
| Sure | AGPL-3.0 | Live community fork of the archived Maybe Finance. Reference only for schema (accounts / holdings / valuations / transactions / holdings-as-events). |
| Ghostfolio / Wealthfolio | AGPL-3.0 | Portfolio tracking; reference only. |
| Firefly III | AGPL-3.0 | Double-entry bookkeeping; reference only. |
| Beancount + fava | GPL-2 / MIT |
Plain-text accounting; canonical reference for double-entry, transaction
immutability, balance assertions. Reference for the bailment shadow ledger;
fava UI patterns absorbable into pwos-core
if the data model lands cleanly.
|
| OpenFisca / PolicyEngine | AGPL-3.0 | Tax/benefit microsimulation as parameters and formulas; reference-only architectural pattern for any Holistiplan-equivalent tax-planning agent. |
| Wealthbot | MIT (dormant) |
RIA algorithms portable to TypeScript in pwos-core.
|
| AI4Finance Foundation | MIT / Apache 2.0 |
FinGPT / FinRL / FinRobot are all bundleable into
nexus-core.
|
| JerBouma/FinanceToolkit | MIT |
Financial ratios, statements, valuation models. Absorbable into
nexus-core; ~60% overlap with the
8-check scoring framework's inputs.
|
Section 4
External projects to absorb
Category A is upstream work compatible with Apache 2.0 (MIT / Apache / BSD) that we bundle into the hubs with attribution. Category B is restrictively-licensed work (AGPL / GPL / SSPL) we use only as reference architecture — pattern, not code. The compatibility matrix below the tables explains the boundary.
4.1 nexus-core — Category A (bundleable: MIT / Apache / BSD)
| Project | License | What it adds |
|---|---|---|
| PyPortfolioOpt | MIT | MVO, Black-Litterman, HRP, discrete allocation |
| Riskfolio-Lib | BSD-3 | 24 convex risk measures, factor models, turnover constraints |
| empyrical-reloaded | Apache 2.0 | Sharpe / Sortino / VaR / drawdown / capture ratios |
| pyfolio-reloaded | Apache 2.0 | Professional tear sheets |
| ffn | MIT | Pandas financial functions |
| QuantLib | BSD | Derivative pricing, yield curves |
| FinancePy | MIT | Numba JIT pricing for bonds / swaps / options |
| edgartools | MIT | SEC EDGAR filings as Python objects + built-in MCP |
| sec-edgar-downloader | MIT | Bulk filing downloads |
| edgar-crawler | MIT | Extract filing sections to JSON |
| sec-parser | MIT | Semantic parsing for LLM pipelines |
| Arelle | Apache 2.0 | XBRL validation (SEC-certified) |
| yfinance | Apache 2.0 | Free market data |
| zipline-reloaded | Apache 2.0 | Event-driven backtesting |
| vectorbt | Apache 2.0 (community) | Vectorized signal backtesting; pandas-native; faster than zipline for EMF signal validation |
| alphalens | Apache 2.0 | Factor performance analysis |
| FinanceToolkit | MIT | 100+ ratios, statements, valuation models with FMP + Yahoo Finance fallback. Direct fit for nexus-core 8-check scoring inputs |
| lifelib | Apache 2.0 | Open-source actuarial life-insurance models — cash value, mortality, premium / benefit projections. For in-force life-insurance analysis |
| FinGPT | MIT | Financial LLM framework |
| FinRobot | Apache 2.0 | Multi-agent equity research |
| FinRL | MIT | RL for portfolio allocation |
| FinBERT | Apache 2.0 | Financial sentiment classification |
| Moov Watchman | Apache 2.0 | OFAC sanctions screening |
| Ethereum-ETL | MIT | Blockchain data pipeline |
| skfolio | BSD-3 | sklearn-based portfolio optimization |
| WenFire | MIT | FastAPI FIRE calculator template |
4.2 nexus-core — Category B (reference only: AGPL / GPL / restrictive)
| Project | License | Use |
|---|---|---|
| OpenBB Platform | AGPL-3.0 | Reference for data aggregation patterns; provider abstraction is the gold standard for normalizing FMP / Tradier / FRED / SEC EDGAR. Re-derive the interface, don't fork. |
| Sure | AGPL-3.0 | Live community fork of archived Maybe Finance. Schema design only: accounts, holdings, valuations, transactions, holdings-as-events pattern. |
| Beancount | GPL-2 | Plain-text accounting language. Reference for ledger design — account hierarchy, transaction immutability, balance assertions. |
| OpenFisca-US | AGPL-3.0 | Tax / benefit microsimulation framework with US implementation. Parameter-driven approach to tax law; architectural pattern for tax-planning agents. |
| PolicyEngine-US | AGPL-3.0 | Successor to OpenFisca-US, more actively maintained. Federal + state taxes, benefits, transfers. Reference for Holistiplan-equivalent (scan return → identify planning opportunities). |
| SEC EDGAR Toolkit | AGPL-3.0 | Reference for TS + Python monorepo pattern. |
| DefiLlama Adapters | GPL-3.0 | Link, don't bundle; TVL calculation for 1000+ protocols. |
4.3 pwos-core — Category A (bundleable)
| Project | License | What it adds |
|---|---|---|
| pdfme | MIT | WYSIWYG PDF template designer |
| @react-pdf/renderer | MIT | React component → PDF rendering |
| pdf-lib | MIT | Modify existing PDFs (fill forms, merge) |
| pdfmake | MIT | Declarative JSON → PDF |
| Viem | MIT | Type-safe onchain interactions |
| Wagmi | MIT | React hooks for wallet connection |
| Ox | MIT | Low-level Ethereum utilities |
| Trigger.dev | MIT | Background jobs with checkpoints |
| Activepieces | MIT | No-code workflow + MCP servers |
| BullMQ | MIT | Job queue on Redis |
| Wealthbot | MIT | Dormant PHP — port algorithms (rebalancing, TLH, billing) to TypeScript |
| fava | MIT | Beancount web UI. Reference for double-entry presentation, balance reports, account hierarchy rendering |
| Actual Budget | MIT | Self-hosted budgeting app. CRDT-based sync engine architecture worth reviewing if pwos-core ever ships multi-device client portals |
4.4 pwos-core — Category B (reference only)
| Project | License | Use |
|---|---|---|
| Twenty CRM | AGPL-3.0 | Reference for CRM custom-object system |
| Ghostfolio | AGPL-3.0 | Reference for Prisma + Postgres portfolio schema |
| Wealthfolio | AGPL-3.0 | Reference for React + Vite UI patterns |
| Firefly III | AGPL-3.0 | Reference for double-entry bookkeeping API |
| OpenArchiver | Check license | SEC 17a-4 email archiving |
| Marble | Check license | Transaction monitoring rule engine |
Section 5
License compatibility matrix
| Upstream license | Can we bundle into Apache 2.0 hub? | Notes |
|---|---|---|
| MIT | Yes | Preserve copyright notice |
| Apache 2.0 | Yes | Preserve NOTICE file |
| BSD-2 / BSD-3 | Yes | Preserve copyright |
| MPL 2.0 | Yes | Keep MPL files separate |
| LGPL | Only as dynamic dependency | Not bundled; runtime-linked |
| GPL-3.0 | No | Would force our repo to GPL |
| AGPL-3.0 | No | GPL + SaaS restrictions |
| SSPL | No | Restricts cloud offerings |
Result: roughly 60% of identified projects are bundleable. The remaining 40% become reference architecture — patterns and ideas, not code.
Section 7
Attribution strategy
Apache 2.0 obligates a NOTICE file. MIT and
BSD obligate copyright preservation. We treat both as a single discipline:
machine-readable third-party attribution, kept current by CI.
7.1 NOTICE file format (Apache 2.0 requirement)
Protocol Wealth Open Source Project Copyright 2025-2026 Protocol Wealth LLC This product includes software developed by: - PyPortfolioOpt (https://github.com/robertmartin8/PyPortfolioOpt) Copyright (c) 2018-2026 Robert Andrew Martin, MIT License - Riskfolio-Lib (https://github.com/dcajasn/Riskfolio-Lib) Copyright (c) 2020-2026 Dany Cajas, BSD-3-Clause License [... every project bundled or derived from ...]
7.2 THIRD_PARTY_LICENSES.md
Full text of each bundled license. Required for Apache 2.0, MIT, BSD compliance. Maintained as a single file per repo; a CI check verifies every new dependency has an entry.
7.4 Synthetic data in examples
PW-published OSS packages use synthetic data in all examples. Any value in a
@protocolwealthos/* package example that
looks like a real PW configuration value (project ID, workspace ID, account
number, advisor name) is by-policy synthetic; copying it into production is
meaningless. Adopter firms must supply their own real values.
The discipline is enforced at the package level (the
@protocolwealthos/disclosure-card README
is the canonical implementation reference — "start from the bundled synthetic
example, then change every value"). New packages added to the hubs inherit the
same standard. Contributors reviewing PRs against
pwos-core /
nexus-core should treat any real-looking
value in a public example as a defect.
Section 8
What stays private — and why
PW-specific code that remains proprietary. Opening these surfaces would create harm — to clients, to the firm, or to the security model — that publishing cannot undo.
8.1 Secrets + credentials
.envfiles with all API keys (Anthropic, OpenAI, Brave, Postmark, Google OAuth, Fordefi, Quiltt, etc.)- Google Secret Manager bindings
- Workload Identity Federation configs
8.2 PW-specific governance documents
- Firm-specific regulatory documents and policies
- Firm-specific architecture / legal positioning
- Firm-specific security posture claims
- EMF thresholds, signal weightings, regime definitions — core analytical IP
- Internal-to-public terminology mapping
- Agent prompts and configurations
8.3 PW-specific infrastructure
- Tenant provisioning flows with PW defaults
- Wealthbox-specific sync logic (CRM adapter)
- Fordefi policy adapters with PW-specific approval workflows
- Altruist billing integration with PW fee schedules
- Hadrius supervision adapter with PW rule sets
8.4 PW brand
brand.json— PW colors, fonts, logoscopy.json— approved taglines, CTAs, prohibited phrases
8.5 Client data and workflows
- All Cloud SQL data (tenant-isolated)
- All Google Cloud Storage blobs
- Per-client MPC wallet configurations
- Client-specific Investment Policy Statement text
Public OSS packages use synthetic data in all examples per §7.4 above — the "what stays private" boundary here is reinforced by the "no real values in examples" boundary on the OSS side.
Change log
Version history
| Version | Date | Summary |
|---|---|---|
| v1.2 | May 27, 2026 | Added §1.4 AI-governance posture (HITL Tier 2 statement + disclosure-card open-standard-candidate framing); added §7.4 synthetic-data discipline codified as firm-wide commitment; added §8.5 cross-reference to the synthetic-data section. |
| v1.1 | May 8, 2026 | Added Sure (live AGPL fork of archived Maybe Finance) under §4.2 reference only; added FinanceToolkit, vectorbt, and lifelib under §4.1 nexus-core Category A; added PolicyEngine + OpenFisca-US under §4.2 reference-only; added Beancount + fava for ledger architecture review; added Actual Budget for CRDT sync pattern reference. |
| v1.0 | April 22, 2026 | Initial canonical version. |
Published: May 28, 2026. Canonical permalink: https://protocolwealthllc.com/opensource-strategy.
Contact: [email protected]
for questions about this strategy, vulnerability disclosure on PW-published OSS,
or proposed schema evolutions to
@protocolwealthos/disclosure-card.
License of this page: The page text is published under the same Apache 2.0 license that governs the hubs it describes. Quote, fork, adapt — attribution appreciated.
Plain-English companion →
Why a fiduciary RIA publishes source code, what's open versus closed, how to read it without running it.
Security posture →
Four principles, vendor stack, AI-specific protections, CISO-signed attestation.
AI principles →
Five guiding principles for how PW uses AI; the user-facing companion to the HITL Tier 2 posture above.