|
| 1 | +While GitHub did not find sufficient information to determine a valid anti-circumvention claim, we determined that this takedown notice contains other valid copyright claim(s). |
| 2 | + |
| 3 | +--- |
| 4 | + |
| 5 | +**Are you the copyright holder or authorized to act on the copyright owner's behalf? If you are submitting this notice on behalf of a company, please be sure to use an email address on the company's domain. If you use a personal email address for a notice submitted on behalf of a company, we may not be able to process it.** |
| 6 | + |
| 7 | +Yes, I am the copyright holder. |
| 8 | + |
| 9 | +**Are you submitting a revised DMCA notice after GitHub Trust & Safety requested you make changes to your original notice?** |
| 10 | + |
| 11 | +No |
| 12 | + |
| 13 | +**Does your claim involve content on GitHub or npm.js?** |
| 14 | + |
| 15 | +GitHub |
| 16 | + |
| 17 | +**Please describe the nature of your copyright ownership or authorization to act on the owner's behalf.** |
| 18 | + |
| 19 | +I am the copyright holder and [private] of Adaptive Machines, Inc. (d/b/a Runner AI), a [private] |
| 20 | +corporation with its principal place of business at [private]. |
| 21 | +Adaptive Machines, Inc. is the sole owner of all copyrights in the Runner AI platform, including the |
| 22 | +scaffold storefront source code, build scripts, Runner AI skill definitions, and configuration files |
| 23 | +contained in the infringing repository. This code was developed internally by our engineering team, has |
| 24 | +never been released under any open source license, and is confidential proprietary software as defined in |
| 25 | +our Terms of Service (Section 6 - Confidentiality). Our ToS (Section 1) explicitly prohibits users from |
| 26 | +reproducing, duplicating, copying, or exploiting any portion of the Service without express written |
| 27 | +permission. Additionally, the repository exposes our private Google Cloud service account credentials and |
| 28 | +private npm registry configuration, which are trade secrets. |
| 29 | + |
| 30 | +**Please provide a detailed description of the original copyrighted work that has allegedly been infringed.** |
| 31 | + |
| 32 | +▎ The copyrighted works are: |
| 33 | +▎ 1. Runner AI Scaffold Storefront — A proprietary Next.js/Vite storefront template deployed into [private] |
| 34 | +sandboxes for Runner AI users. This includes all source code under the storefront/ directory: React |
| 35 | +components, routing logic, checkout flows, product display components, booking system, payment integration, |
| 36 | +and build configuration. |
| 37 | +▎ 2. Runner AI Skill Definitions — Proprietary AI agent skill files located at storefront/.runner/skills/, |
| 38 | +including building-storefronts/SKILL.md and implementing-product-reviews/SKILL.md with associated reference |
| 39 | +documentation. These define Runner AI's proprietary AI coding assistant behavior. |
| 40 | +▎ 3. Runner AI Context/Checkpoint System — Proprietary conversation context and state management files |
| 41 | +under runner/context/, including checkpoint data (messages.json, recovery-hints.json, state.md). |
| 42 | +▎ 4. Build and Deployment Scripts — Proprietary shell scripts (build-and-store.sh, commit-and-cache.sh, |
| 43 | +rollback-with-cache.sh, serve-build.sh) that are part of Runner AI's infrastructure. |
| 44 | +▎ 5. Exposed Credentials — The repository also contains our private Google Cloud service account key |
| 45 | +(storefront/npm_registry_service_account.json) and private npm registry configuration (storefront/.npmrc) |
| 46 | +pointing to our private Google Artifact Registry, which are confidential and proprietary. |
| 47 | + |
| 48 | +▎ None of this code has ever been authorized for public distribution. |
| 49 | + |
| 50 | +**If the original work referenced above is available online, please provide a URL.** |
| 51 | + |
| 52 | +▎ The original work is proprietary and not publicly available. The authorized production platform is at |
| 53 | +https://runnerai.com. The scaffold code is deployed only into private sandbox environments for |
| 54 | +authorized users. Documentation is at https://docs.runnerai.com. |
| 55 | + |
| 56 | +**We ask that a DMCA takedown notice list every specific file in the repository that is infringing, unless the entire contents of the repository are infringing on your copyright. Please clearly state that the entire repository is infringing, OR provide the specific files within the repository you would like removed.** |
| 57 | + |
| 58 | +**Based on the above, I confirm that:** |
| 59 | + |
| 60 | +The entire repository is infringing |
| 61 | + |
| 62 | +**Identify the full repository URL that is infringing:** |
| 63 | + |
| 64 | +https://github.com/aarizpe95/nucleopep-runnerai |
| 65 | + |
| 66 | +**Do you claim to have any technological measures in place to control access to your copyrighted content? Please see our <a href="https://docs.github.com/articles/guide-to-submitting-a-dmca-takedown-notice#complaints-about-anti-circumvention-technology">Complaints about Anti-Circumvention Technology</a> if you are unsure.** |
| 67 | + |
| 68 | +Yes |
| 69 | + |
| 70 | +**What technological measures do you have in place and how do they effectively control access to your copyrighted material?** |
| 71 | + |
| 72 | +Yes. The scaffold source code is deployed only into private, ephemeral [private] sandbox environments with |
| 73 | +authenticated access. The GCP service account key and private npm registry are protected by Google Cloud |
| 74 | +IAM access controls. The source code is maintained in private repositories. Users are bound by our Terms of |
| 75 | +Service which prohibit reproduction, duplication, copying, or reverse engineering of the Service (ToS |
| 76 | +Section 1) |
| 77 | + |
| 78 | +**How is the accused project designed to circumvent your technological protection measures?** |
| 79 | + |
| 80 | +▎ The Runner AI platform deploys proprietary scaffold source code exclusively into private, ephemeral |
| 81 | +[private] sandbox environments that are authenticated and access-controlled — users interact with the code |
| 82 | +only through Runner AI's web interface (iframe-based preview and AI-assisted editing). The code is never |
| 83 | +intended to be extracted, downloaded in bulk, or published outside the sandbox. |
| 84 | + |
| 85 | +▎ The accused party extracted the entire contents of a private [private] sandbox — including files that serve |
| 86 | +as technological access controls — and published them to a public GitHub repository. Specifically: |
| 87 | + |
| 88 | +▎ 1. Private npm registry credentials extracted and published: The file |
| 89 | +storefront/npm_registry_service_account.json is a Google Cloud service account private key that |
| 90 | +authenticates access to our private Google Artifact Registry |
| 91 | +(us-west2-npm.pkg.dev/stable-course-466811-k1/medusa-fork/). This key was provisioned exclusively for use |
| 92 | +within the sandbox runtime. By extracting and publishing it, the accused has exposed the authentication |
| 93 | +mechanism that controls access to our proprietary packages, allowing anyone to download our private |
| 94 | +@[private] fork. |
| 95 | +▎ 2. Registry authentication configuration extracted: The file storefront/.npmrc contains the private |
| 96 | +registry URL, and the preinstall script in package.json |
| 97 | +([private]) reveals |
| 98 | +the exact authentication flow. Together, these files enable any third party to bypass our access controls |
| 99 | +and pull packages from our private registry. |
| 100 | +▎ 3. Full project export archive included: The repository contains storefront/prj_export.tar.gz (~3.9 MB), |
| 101 | +which appears to be a bulk export of the sandbox project contents, circumventing the intended file-by-file |
| 102 | +access model of the sandbox environment. |
| 103 | + |
| 104 | +▎ In summary, the accused extracted proprietary code from a controlled sandbox environment and published |
| 105 | +both the code and the credentials that protect access to our private package infrastructure, effectively |
| 106 | +circumventing all technological measures in place. |
| 107 | + |
| 108 | +**If you are reporting an allegedly infringing fork, please note that each fork is a distinct repository and <i>must be identified separately</i>. Please read more about <a href="https://docs.github.com/articles/dmca-takedown-policy#b-what-about-forks-or-whats-a-fork">forks.</a> As forks may often contain different material than in the parent repository, if you believe any of the repositories or files in the forks are infringing, please list each fork URL below:** |
| 109 | + |
| 110 | +**Is the work licensed under an open source license?** |
| 111 | + |
| 112 | +No |
| 113 | + |
| 114 | +**What would be the best solution for the alleged infringement?** |
| 115 | + |
| 116 | +Reported content must be removed |
| 117 | + |
| 118 | +**Do you have the alleged infringer’s contact information? If so, please provide it.** |
| 119 | + |
| 120 | +[private] |
| 121 | + |
| 122 | +**I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law.** |
| 123 | + |
| 124 | +**I have taken <a href="https://www.lumendatabase.org/topics/22">fair use</a> into consideration.** |
| 125 | + |
| 126 | +**I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed.** |
| 127 | + |
| 128 | +**I have read and understand GitHub's <a href="https://docs.github.com/articles/guide-to-submitting-a-dmca-takedown-notice/">Guide to Submitting a DMCA Takedown Notice</a>.** |
| 129 | + |
| 130 | +**So that we can get back to you, please provide either your telephone number or physical address.** |
| 131 | + |
| 132 | +[private] |
| 133 | + |
| 134 | +**Please type your full name for your signature.** |
| 135 | + |
| 136 | +[private] |
0 commit comments