When an agent writes an update set that touches incident, task, and the BR that fires on insert into cmdb_ci, you should be able to read what it was thinking before it ran. Not a sanitized summary. Not “system reasoning unavailable.” The actual prompt, the planner’s intermediate output, the tool call arguments, the response that came back from your instance.

That’s the floor. Below it, you’re operating on faith, and faith is a poor debugging surface at 02:00 on a Sunday when the change-advisory board wants to know why your test instance just got 4,000 phantom sys_audit rows.

Most agentic platforms put that floor underground. Serac puts it at eye level.

What’s actually in the repo

The Serac core lives at github.com/serac-labs/serac. If you clone it right now, here’s what you can read:

  • Planner prompts. Every prompt the orchestrator sends to the LLM is in packages/opencode/src/agent/prompts/. Not embedded, not generated, not loaded from a remote config. A .md file you can git blame.
  • Tool schemas. Every tool the agent can call is declared in packages/opencode/src/tools/<domain>/<tool>.ts, with the input schema, the output contract, and the side-effect notes inline. The same file is the source of truth for the runtime, the docs site, and the MCP server. There is no second version.
  • ServiceNow connectors. The HTTP client, the table client, the update-set tracker, the ACL pre-check, the dictionary cache. Every line of how Serac talks to your instance.
  • The reviewer step. The orchestration node that intercepts every write call, packages it for human approval, and waits.

What’s not in the public repo:

  • Your data. Serac is your binary against your instance. We don’t see your tickets, your CIs, your business rules. (If you opt into hosted Serac, the activity stream is encrypted at rest in EU region — but the source code that handles it is still public, so you can verify what we claim.)
  • Your keys. BYO LLM provider, BYO vault. The agent receives ephemeral, scoped credentials at call time and never persists them.
  • Your tenant. Hosted Serac is multi-tenant at the database level only; the runtime is per-tenant containers. Source of that runtime: in the repo.

That’s the split. It’s deliberate. The thing that determines whether you can trust the agent is the behavior — and the behavior is the code.

Why proprietary “AI magic” is a tax

The enterprise AI vendor pitch in 2025-2026 has a remarkably consistent structure:

  1. “We’ve built a proprietary reasoning engine.”
  2. “It’s been trained on millions of enterprise tickets.”
  3. “Trust us, it’s safer than a generic LLM.”
  4. “You can’t see the prompts, that’s our IP.”

Step 4 is where the contract gets one-sided. You’re paying for an agent that takes consequential actions in your production environment, and the part you most need to audit is the part you’re explicitly forbidden from looking at.

This isn’t safer. It’s the opposite. Every closed-source agent failure becomes a black box that only the vendor can investigate, on the vendor’s timeline, with the vendor’s incentives. If your update set bricks the catalog item flow, you want to know whether the planner picked the wrong tool, whether the prompt failed to mention scope boundaries, or whether the LLM hallucinated a table. With a closed agent, you get a ticket number and a 5-day SLA.

There’s also the small matter of what “proprietary reasoning” usually is. It’s a prompt. It’s a chain. It’s some retrieval logic. None of these are novel science. The moat is the integration work — the connectors, the schema awareness, the platform-specific tool design. We agree those are valuable. We just don’t agree that they should be invisible.

The Apache License 2.0 specifics

Serac core ships under the Apache License 2.0 — OSI-approved, permissive, genuine open source. Here’s what that means in practice:

  • Read every line. Fork it. Run it on your laptop, in your data center, in your customer’s air-gapped environment. Modify it. Submit PRs. Build internal extensions.
  • Use it commercially however you want — inside your own organization, in paid client engagements, or as the foundation of a product you sell.
  • Host it as a managed service. Build a business on it. Wrap it, rebrand it, ship it. Apache 2.0 has no anti-resale carve-out, no field-of-use limit, no “you can’t host this as a service” clause.

That’s the whole license: read it, fork it, self-host it, even build a service on it. No carve-outs.

We picked Apache 2.0 over a source-available license like Elastic v2 because we don’t believe the company’s moat should be a legal restriction stapled to the code. The moat is the hosted portal, the deep ServiceNow domain layer, and the community — none of which a competitor gets by cloning the repo. We picked Apache over AGPL because AGPL’s copyleft creates a corporate-friction story we don’t want our users to have to fight through their legal teams; Apache’s patent grant and permissive terms sail through procurement.

If you’re a ServiceNow developer, a consultancy, an in-house platform team, an MSP doing fixed-fee implementation work, or even a startup that wants to build a hosted product on top of Serac — you’re welcome. There is no permitted-lane-versus-blocked-lane distinction. It’s all the permitted lane.

That’s a real open-source license, and we’d rather earn your trust with genuine openness than with a “source-available” asterisk.

What openness costs us

The honest part of the manifesto: openness is not free, and the cost lands on us.

When prompts are public, anyone can copy them. That’s fine — prompts are the cheapest part of building an agent. The expensive parts are the orchestration graph, the schema awareness, the reviewer contract, the trace pipeline, the connector quality, and the cumulative work of fixing the 429 obscure ServiceNow edge cases. None of that is captured by a prompt.

When tool schemas are public, competitors can match them. Also fine — having the same schema as Serac doesn’t get you the same behavior. The behavior is a hundred small calibrations that came from running real workflows against real customer instances over two years.

When the connector code is public — and under Apache 2.0 anyone is fully free to fork it, host it, even sell it — someone can ship a clone. They will. We’ve already seen one. It crashes on update-set application because they don’t run the same test matrix we do. We chose a license that explicitly permits this, because we’d rather compete on quality than hide behind a clause that says you’re not allowed to.

The thing openness costs us is the easy story. We can’t say “trust the magic” in a sales call. We have to actually demonstrate that the behavior is sound, that the human-in-the-loop step works, that the schema maps are current. Every customer asks harder questions than a closed-source vendor would face. That’s good for us long-term. It’s slower in the short term.

We accept the trade.

The closed-source counterargument, on its strongest day

We try to be fair. Here’s the best version of the case against openness, the one a smart vendor would actually make:

“Open-source agents create a different security risk. Now attackers can read your prompts, find prompt-injection patterns, and target your customers. Closed-source means a smaller attack surface for prompt-level exploits.”

This argument is real. It’s also wrong, but it takes a minute to explain why.

Prompt-injection attacks work whether or not the prompt is public. They work because LLMs follow instructions, and an attacker can put instructions in user input the LLM will read. Knowing the system prompt makes some classes of injection slightly easier — the attacker can tailor their payload — but the underlying vulnerability is the LLM’s instruction-following behavior, not the visibility of the system prompt. Closed-source agents are exploited regularly. We’ve sat in on three customer post-incident reviews where the agent under attack was a closed-source enterprise tool, and the analysis was strictly harder because the security team couldn’t read the prompts to diagnose the failure mode.

The right defense against prompt injection is not prompt secrecy. It’s structural: input sanitization, output validation, the classifier+reviewer step Serac uses for writes, and not letting the LLM make decisions about its own permissions. Those are all visible in the Serac source. You can verify they’re there. With a closed agent, you have to trust the marketing copy.

The honest version of the counterargument is narrower: closed-source allows the vendor to ship “security through obscurity for a short time window after a vulnerability is discovered.” The window between “vendor finds bug” and “vendor patches and notifies customers” is shorter than the window for an open project, because the open project’s commit history broadcasts the fix to attackers immediately. That’s true, and it’s a measurable advantage on the order of days.

We’ve decided that advantage is not worth the larger cost of unauditability. You may decide differently. But the case for closed-source agents on prompt-injection grounds is weaker than vendors usually present it.

What openness gets you

A few concrete things, in the order you’ll notice them:

  • Debugging is real debugging. When something fails, you read the planner output, you read the tool call, you read the response. You don’t open a support ticket and wait. You can, but you don’t have to.
  • Auditability is inherent. Security teams reviewing the agent get the source. Not architectural diagrams. The source. Same with compliance reviews — git log on the prompt is the change history.
  • Forking is possible. If we go in a direction you hate, the code is still yours. If we get acquired, the code is still yours. If we go out of business, the code is still yours. This isn’t a hypothetical — it’s the most-asked question by enterprise procurement, and “the source is public under Apache 2.0, with no field-of-use restrictions” is the only answer that closes the loop.
  • Contributions are real. The repo has external commits already. ServiceNow developers who’ve shipped a Flow Designer extension for years know things we don’t, and they ship fixes for connector edge cases that would have taken our team weeks to find.

That last one is the part that compounds. Closed-source agents can only learn what their vendor’s customer success team relays back. Open-source agents learn from every developer who hits a wall and files a PR.

The pattern

Open by default isn’t a marketing position. It’s an engineering position: when AI takes consequential actions in your environment, the only sustainable way to make those actions trustworthy is to make them legible.

You don’t audit a process by reading the marketing copy. You audit it by reading the code. We just removed the step where you have to ask permission first.