Blog

Open Source in the Age of AI Coding: Why We Chose Source-Available

Pablo Marin, CTO @ KSGai.com · February 23, 2026

When we started building MCP Gateway, “open source” seemed like the obvious choice. It’s the default for developer infrastructure. It builds trust, drives adoption, creates community. Every successful infrastructure company — Kong, Grafana, Supabase, PostHog — is built on open source.

But 2025–2026 changed the equation. AI coding tools (Claude Code, GitHub Copilot, Cursor) made it trivially easy to point at a GitHub repo and recreate the entire product in days. We had to ask ourselves: in a world where code is free, what’s actually worth protecting?

The State of Open Source in 2026

Tailwind’s revenue collapse. Tailwind CSS has 30M+ weekly npm downloads and is growing faster than ever. Revenue is down 80%. Documentation traffic dropped 40% since 2023 — developers ask AI instead of reading docs. Creator Adam Wathan laid off 75% of engineering.

“Right now there’s just no correlation between making Tailwind easier to use and making development of the framework more sustainable.”

Read more at The Decoder

Maintainer burnout. Mitchell Hashimoto (HashiCorp/Ghostty founder) created “Vouch” — a trust system for contributors — after AI-generated PRs went from rare to 50% of all submissions. Daniel Stenberg shut down curl’s 6-year, $86K bug bounty after AI submissions collapsed genuine vulnerability discovery below 5%. Read Stenberg’s post

The academic research. Koren et al. (2026) found that AI tools install dependencies “in a way that comes between developers and maintainers, undermining interactions that potentially return value to those doing the work.” Stack Overflow question volume dropped sharply after ChatGPT launched. Read the analysis at The Register

The economic asymmetry. It takes a developer 60 seconds to prompt an agent to fix typos. It takes a maintainer an hour to carefully review those changes. PR volumes jumped 40% while merge rates declined. As Matt Asay wrote:

“The future of open source is smaller, quieter, and much more exclusive.”

Read Asay’s article at InfoWorld

Code Is No Longer a Moat

The cost of producing code is approaching zero. As Keon Kim puts it, “AI is doing to coding what the internet did to distribution.” When anyone can generate a working prototype in a weekend, 25% of YC’s current cohort have nearly AI-generated codebases (TechCrunch). Code itself is no longer a differentiator.

a16z’s “Context is King” essay captures the shift perfectly:

“That kind of judgment can’t be automated like code. It varies dramatically by domain and is earned only through experience.”

NFX’s research on AI defensibility confirms that network effects, community trust, and workflow lock-in are the new moats. If code is free, what’s defensible?

The new moat hierarchy:

  1. Distribution — being where developers already are (marketplaces, certifications)
  2. Community trust — takes years to build, seconds to lose
  3. Workflow lock-in — once data flows through you, switching is painful
  4. Operational excellence — running infrastructure is harder than writing it

What We Learned from Kong, Grafana, and Sentry

Three models that work in 2026. Each gives away the runtime and sells the management layer.

Kong: Apache 2.0 gateway (free forever) + commercial control plane (Konnect). $50K+/yr enterprise contracts. The gateway is the distribution; the management layer is the revenue.

Grafana: AGPL core + Grafana Cloud (consumption-based). $400M ARR. 70% of Fortune 50 use it. Open source visualization drives adoption; managed cloud and enterprise plugins drive revenue.

Sentry: Created the Functional Source License (FSL). All code is visible on GitHub. It prevents competitors from offering a competing hosted service. After 2 years, each version automatically converts to Apache 2.0.

The pattern is clear: give away the runtime, sell the management layer and operational excellence.

Our Decision: FSL + Apache 2.0

We chose the Functional Source License (FSL-2.0) for MCP Gateway’s core, the license created by Sentry. Here’s why.

What it allows: Download, run, modify, deploy for any non-competing purpose — free. You can run MCP Gateway in production, modify it for your needs, and contribute back. No restrictions on internal use.

What it prevents: Competitors cannot take our code and sell a competing hosted MCP gateway service. That’s it. One restriction.

What happens after 2 years: Each version automatically becomes Apache 2.0 — fully open source. No rug pull. No bait and switch. Just a two-year head start.

Why not BSL: The Business Source License requires a custom “Additional Use Grant” per company — enterprise legal teams must review each variant individually. FSL is standardized. One license, one set of terms, no per-vendor legal review.

Why not AGPL: Google has a company-wide ban on AGPL. Many enterprises have similar blanket bans. AGPL’s viral boundary is ambiguous — does calling an AGPL service over HTTP trigger copyleft? Nobody wants to litigate that question.

Why not fully open (MIT/Apache 2.0): Because IBM, Microsoft, Docker, and Cloudflare are all building free MCP gateways already. We can’t out-code trillion-dollar companies. We need to protect our ability to build a business.

Our SDKs (Python, Node, Go) are Apache 2.0 — developers should never worry about license restrictions when importing an SDK. The licensing boundary is clear: the gateway runtime is FSL, everything you integrate with is Apache 2.0.

For more on source-available licensing strategies, see dbt Labs’ licensing model, which takes a similar approach.

What Enterprises Actually Pay For

If the code is visible, why pay? Because enterprises don’t pay for code. They pay for everything around it.

  • SSO/SAML/OIDC — enterprise IT will not approve software that doesn’t integrate with their identity provider. No SSO = no procurement approval.
  • Audit logs — required for SOC 2, ISO 27001, HIPAA, PCI DSS. Every API call, every configuration change, every access event — logged and queryable.
  • RBAC — who can access which MCP servers, skills, sandboxes. Granular permissions that map to organizational structure.
  • SLA-backed support — 1-hour P1 response, 24/7. “File a GitHub issue” is not acceptable for production infrastructure.
  • Cloud marketplace access — enterprises use committed spend ($470B+ outstanding across AWS/Azure/GCP). Buying through the marketplace draws down existing commitments instead of creating new line items.
  • Red Hat certification — tested, patched, jointly supported. CVE response SLAs. The stamp of approval that enterprise procurement requires.

This is exactly how Kong ($50K+/yr), Grafana ($400M ARR), and MongoDB ($2B revenue) make money on top of visible-source software. The code is the distribution channel. The enterprise wrapper is the product.

The age of “open source = business model” is over. Open source is a distribution strategy, not a revenue model. The companies that understand this — and invest in the management layer, the certifications, the marketplace presence, and the operational excellence that enterprises actually pay for — are the ones that will build durable businesses.

MCP Gateway is source-available because we believe in transparency. We chose FSL because we believe in building a sustainable company that can serve our customers for decades, not just until the next funding round.