I'm Tom. I build infrastructure for software accountability.
I'm the creator and lead maintainer of Korext Open Source: seven open standards for making AI generated code traceable, licensable, and accountable across software supply chains. The work focuses on a future where AI writes more code than humans can review, and where the discipline of governance has to keep pace.
Alongside the open standards, I'm Founder of Korext, the commercial governance runtime that enforces these standards inside regulated industries (banks, defense primes, healthcare systems).
The seven packages I design, maintain, and ship.
| Standard | What it does | Version |
|---|---|---|
| ai-attestation | Verifiable provenance for the leading AI coding tools |  |
| supply-chain-attestation | Adapters across the leading SBOM and signature ecosystems |  |
| ai-license | Licensing framework for AI generated code |  |
| ai-incident-registry | Public incident taxonomy and registry for AI code failures |  |
| ai-code-radar | Detection pattern library for AI authored code |  |
| ai-regression-database | Regression fingerprinting for AI code patterns |  |
| commit-carbon | Emissions accounting for software changes |  |
Specifications: CC0 (public domain). Code: Apache 2.0. Data: CC BY 4.0. Zero legal friction for adopters to build on the standards or contribute back.
The commercial governance runtime.
Korext is the enforcement layer for the open standards: it sits inside regulated industry development workflows and enforces policy, sovereignty, and audit at the moment code is written. Banks, defense primes, and healthcare systems cannot legally adopt autonomous coding tools without provable controls over what the AI writes, where the data sits, and who attests to the output.
The standards are the substrate. The platform is the runtime.
Product and Platform Strategy Lead at Google, where my work centers on Chrome's AI platform, web ecosystem, and developer surfaces.
