Terms
Effective 2026-05-13 · Mid-Atlantic AI · [email protected]
PreFlight is a free, open-source, in-browser static security audit. There is no signup, no payment, no account, and no warranty. The short version of what follows is: use it, learn from it, ship safer code; we don’t guarantee it will catch every issue and we don’t promise it’s suitable for any particular purpose.
What you can do with PreFlight
- Use it to audit any code you have permission to audit, including your own.
- Run it on production and pre-production code.
- Export findings as JSON, Markdown, GitHub PR comment, or agent prompt.
- Fork the code under MIT license and run your own copy.
- Use the threat-intel data manifest under CC-BY-4.0 (credit PreFlight when you do).
- Build commercial products that include PreFlight code, subject to the MIT terms.
What you shouldn’t do with PreFlight
- Don’t use it to audit code you don’t have permission to audit. The fact that public source code is publicly readable doesn’t automatically grant you permission to publish security findings about it.
- Don’t treat findings as a complete security review. PreFlight catches common static patterns. It does not perform dynamic testing, business-logic review, or live exploitation testing.
- Don’t treat a clean PreFlight report as a guarantee of security. The absence of findings means the absence of findings, not the absence of vulnerabilities.
Licenses
The codebase is split into two license tiers:
- Code (MIT License): everything under
src/,public/,.github/, plus the config files andpackage.json. Use it, fork it, integrate it, ship it. No attribution required for the source code itself. - Threat-intel data (CC-BY-4.0):
src/data/compromised-packages.jsand any futuresrc/data/*-data.{js,json}manifests. Use the data, integrate it into your own scanner, but credit the source as “Mid-Atlantic AI / PreFlight Audit Tool.”
Optional AI features (BYOK)
The Explain & Verify and Copy Agent Prompt features are optional. If you use Explain & Verify, the AI request goes from your browser directly to the AI provider you configured. The provider’s terms govern that interaction. We charge nothing for the use of these features; your AI provider charges you whatever they charge. PreFlight has no billing relationship with your AI provider and no visibility into your usage.
No warranty
PreFlight is provided as-is. We make no warranty that it is fit for any particular purpose, that it will catch every vulnerability in the code you scan, that the threat-intel data is complete or current, or that the application will operate without interruption.
You use PreFlight at your own risk. If a PreFlight scan says your code is clean and you ship it and it turns out to have a serious vulnerability, that is on you, not on us. The same applies in the other direction: if PreFlight flags a finding you don’t think is real, the decision to ignore or suppress it is yours.
Limitation of liability
To the maximum extent permitted by law, Mid-Atlantic AI and the contributors to PreFlight will not be liable for any direct, indirect, incidental, consequential, special, or exemplary damages arising out of your use of PreFlight, even where we have been advised of the possibility of such damages. The MIT license terms in the repository’s LICENSE file are the governing terms for the code; this clause is a plain-English summary of them.
Changes
We may update PreFlight and these terms at any time. Material changes are tracked in the public git history at github.com/midatlanticAI/PreFlight. If you forked the project and don’t want our changes, your fork is the version that applies to you.
Contact
Questions about these terms or how PreFlight is licensed: email [email protected].