Free OSS core for individuals and projects that don't need AI enrichment. Paid plan for active devs who want semantic dedup, ranked findings, and 50M enrichment tokens per month. OSS scanning runs entirely on your machine; the Paid plan's enrichment step calls our gateway.
Everything in the open-source CLI. Apache 2.0-licensed; use commercially without restriction.
brasscoders filter noise-reduction post-processorEverything in OSS, plus AI-powered enrichment. Cancel any time.
Questions? Email brass@coppersuncreative.com.
The Paid plan includes 50 million enrichment tokens per month. Enrichment is the step that turns 1500+ raw scanner findings into ~300 actionable ones — semantic dedup, cluster sizing, and ranking against your project signature. A hosted embedding + rerank model does the heavy lifting behind the scenes.
50M tokens covers roughly 30-50 scans/month of a real codebase — what an active developer running brass daily during feature work actually uses. If you need more, top up at our upstream cost. We don't mark up the per-token pricing; the topup pool is straight pass-through. Your monthly $12 covers the scanner tool, the gateway hosting, and the typical-usage token budget.
The output of all this — your YAML file at .brass/ai_instructions.yaml — is what you hand to Claude Code, Cursor, Continue, or your AI assistant of choice. Your bill from Anthropic / OpenAI / whoever stays separate. We don't resell anyone else's API.
The OSS core stays fully offline — no enrichment, no gateway calls, no monthly token cap. Free forever. Many users will find OSS is enough on its own.
Yes. Apache 2.0 license. Use it inside your company, fork it, embed it in CI, ship a derivative — all fine. Attribution preserved per the license; no usage caps. Apache 2.0 also includes an explicit patent grant, which a few enterprise buyers find easier to clear than MIT.
Refreshed quarterly. The current plan: deeper SAST coverage (Semgrep ruleset integration), JS/TS taint analysis, and an extended secrets pack covering enterprise-only formats (Okta, ServiceNow, internal SSO tokens). The OSS core never loses features — the Paid plan is additive.
You'll see a banner in the CLI when you're close to the monthly cap. Top up via your billing portal; topup tokens persist across periods (they don't expire at month-end like the monthly grant). Topup tokens are billed at our upstream API cost with zero markup. If you don't want to top up, the OSS core falls back to heuristic-only enrichment without our gateway — same scanner output, just without the semantic dedup pass.
License keys are issued and tracked by LemonSqueezy via their License API. Activation is a single HTTPS call from your machine to LS; afterward the CLI re-validates at most once per week to pick up cancellations or refunds. The brasscoders scan command itself calls our gateway for the AI-powered enrichment step (sends the scanner findings + your project signature; receives ranked survivors). The OSS-only path (--no-enrich or unlicensed installs) makes zero outbound calls — pure offline scanning.
One license covers up to 3 machine activations — your laptop, your desktop, and a CI runner, for example. Each activation is per-machine, not per-developer-identity. If you need more seats for a larger team, buy additional licenses (no minimum, no five-seat-minimum nonsense). Run brasscoders deactivate to free up a slot on a retired machine.
Cancel any time from your billing portal; the subscription ends at the close of the current billing period. License keys remain valid through that period. We don't pro-rate on cancel because the OSS core is enough for most users — the Paid plan is a "support yourself by supporting us" relationship, not a hostage situation.