The rules,
such as they are.

These terms cover everything in the heso project you might touch:

• heso binaryThe Rust executable shipped on GitHub Releases.
• @ixla/hesoThe npm package — bundles the same binary.
• heso (pypi)The Python package — bundles the same binary.
• heso.caThis website, including /docs and this page.
• source treeEverything in github.com/blank3rs/heso.

If you forked the repository, the LICENSE-MIT and LICENSE-APACHE files in your tree are the authoritative source for code reuse. This page is a reader-friendly companion, not a replacement. Where this page and the license texts disagree, the license texts win.

Copyright © 2026 Akshay and the heso contributors. You may copy, modify, redistribute, sell copies, or incorporate heso into a larger work, under the terms of either license above. Keep the notice files intact in redistributed source or binary form. The Apache-2.0 grant explicitly covers patents the contributors hold and would otherwise need to license to you.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Unless required by applicable law or agreed to in writing,
Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied, including,
without limitation, any warranties or conditions of TITLE,
NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR
PURPOSE.

Plain English: heso is pre-alpha. It will sometimes return wrong JSON, fail to click an element you expected, or panic on a page that does something unusual. If you wire it into anything important — a trading bot, an automated medical lookup, an agent that spends money — that's your call and your risk. There is no SLA, there is no support contract, and there is no implied promise that the receipt format from v0.2.1 will verify against the verifier shipped in v0.2.1.

This applies even if a contributor was advised of the possibility of those damages, and regardless of the legal theory the claim is brought under (contract, tort, strict liability, statute, whatever).

Some jurisdictions don't allow the exclusion or limitation of certain damages. Where that's the case, this section applies to the greatest extent your local law permits, and only that. The rest of these terms continue to apply unchanged.

• 01
  Overload a site.

  The batchverb runs URLs in parallel; that doesn't mean every site wants you to. Respect robots.txt, respect rate limits, back off on 429s and 5xxs. The default User-Agent is heso/<version> on purpose — anything fingerprinting traffic can see you coming. If a site asks you to slow down or stop, slow down or stop.

• 02
  Bypass access controls.

  Don't use heso to defeat authentication, paywalls, DRM, IP allowlists, or any other access mechanism on a system you aren't authorized to use. The fact that heso canevaluate JS or fill a form doesn't mean you have permission to.

• 03
  Mishandle personal data.

  If you scrape or process personal data, you're responsible for complying with GDPR, CCPA, PIPEDA, or whichever privacy law applies to you and the data subjects. heso doesn't know who lives where.

• 04
  Build something that harms people.

  Harassment, stalkerware, mass disinformation, credential stuffing, automated abuse — that whole category. The license grants you rights; it doesn't excuse you.

• 05
  Misrepresent provenance.

  heso signs receipts under your Ed25519 identity (per ADR 0005). Don't sign a receipt for content you fabricated. Don't strip the signature off a real receipt and pass it off as something else.

Use --receipt PATH when downstream consumers need to trust what you fetched. Use --since <hash> when polling a page over time, so you re-read only when something actually moved. Use --parallel with care. Cache. Identify yourself in your User-Agent when scraping public APIs. The standard internet citizenship stuff.

Pointing the binary at a URL means you've decided you're allowed to. If the destination forbids automated access in their terms, that contract is between you and them — the heso maintainers aren't a party to it and can't shield you from it.

The binary runs locally on your machine. It does not phone home, it does not collect telemetry, and it does not transmit page contents anywhere except the destinations you point it at. Receipts, when enabled, are written to a local path you specify — nothing is uploaded.

The website (heso.ca) uses Vercel Analytics and Microsoft Clarity for aggregate, privacy-respecting traffic measurement: pageviews, referrers, anonymized session shapes. No account data, no PII collection. If that matters to you, an ad blocker will remove them — nothing on the site depends on those scripts loading.

You can fork the code, redistribute it, and base derivative work on it. Please give the derivative a distinct name so users don't confuse your fork with upstream — that's the whole rule. No “heso-pro”, no “heso2”, no “heso enterprise edition” on a fork that isn't upstream-blessed.

Saying “built with heso” or “runs on heso” to identify what your tool uses is fine. Using the wordmark in a way that implies endorsement, sponsorship, or affiliation when none exists isn't.

Concretely: when you open a pull request, push a commit, file an issue with a code snippet, or paste a patch into a discussion, you're granting the maintainers a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license to use, reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute your contribution and any derivative works.

You're also representing that the contribution is yours to give — that you wrote it, or that the original author already licensed it under terms compatible with MIT and Apache-2.0. Don't submit copyrighted material you don't have rights to. Don't paste in code your employer owns without their sign-off.

This is the standard open-source “if your use of the tool gets you sued, that's not the maintainer's problem” clause. It exists so a one-person hobby project can ship without becoming a liability shield for downstream misuse. It does not apply to claims arising from a contributor's own wrongful act.

For everything outside the license texts themselves — this terms page, the website, any direct interaction with the maintainers — disputes are governed by the laws of the Province of Ontario, Canada, and the federal laws of Canada that apply there, without regard to conflict-of-law rules. The courts located in Ontario will have exclusive jurisdiction over any such disputes.

Severability: if a court finds any part of these terms unenforceable, the rest of the terms keep working. No waiver: if the maintainers don't enforce a clause once, that isn't a waiver of the clause going forward.

The licenses themselves (MIT, Apache-2.0) are irrevocable for the versions you already received — nothing here retroactively narrows rights you already have under them. Future versions of heso can ship under different terms, but past versions keep their terms.

Bugs, security reports, license questions, or anything else: file an issue on the GitHub tracker. That's the canonical channel. There is no support email and no support phone number — this is a one-person project moving fast, and the tracker is where real triage happens.