Skip to content

Latest commit

 

History

History
77 lines (50 loc) · 2.68 KB

File metadata and controls

77 lines (50 loc) · 2.68 KB

Dependency License Inventory

Purpose

This inventory records the current dependency and license posture for the Agentic Enterprise Readiness Profile.

It is intended for maintainers, reviewers, and AAIF/Linux Foundation-adjacent reviewers who need to understand whether the profile introduces dependency, license, or paid-service risk.

Current Summary

Area Current state
Repository license MIT
Runtime dependencies None declared
Development dependencies None declared
Package manager lockfile None required because no third-party packages are installed
Validation runtime Node.js, using built-in fs and path modules
Network requirement for validation None
Docker requirement for validation None
Paid provider requirement None

Declared Package Metadata

The root package.json declares:

  • package name: agentic-enterprise-readiness-profile
  • license: MIT
  • package type: module
  • validation command: npm test

The current package has no dependencies or devDependencies block.

Validator Dependency Surface

The validator script is:

  • scripts/validate-readiness.mjs

It imports only Node.js built-in modules:

  • node:fs
  • node:path

The validator checks repository-local examples, templates, schema, and required docs. It does not call a network service, database, model provider, package registry, or container runtime.

License Review Notes

The repository-level license is:

  • LICENSE - MIT

No third-party code bundles, vendored packages, generated SDKs, or copied external specification files are currently shipped in this repository.

If future versions add third-party dependencies, maintainers should update this inventory in the same pull request and include:

  • package name
  • package version or version range
  • license identifier
  • dependency type: runtime, development, documentation, or generated artifact
  • reason the dependency is needed
  • whether an OSS or built-in alternative was considered

Release Gate

Before a release can claim dependency-license inventory coverage:

  1. package.json must be reviewed for dependency changes.
  2. Lockfiles, if introduced, must be reviewed.
  3. New vendored or generated files must be checked for source and license.
  4. This document must be updated when the dependency surface changes.
  5. The release notes must mention any new dependency or license posture change.

Current Risk Assessment

Current risk is low because the profile is documentation, schema, examples, and a built-in Node.js validator.

The main future risk is scope creep: adding web tooling, documentation frameworks, generated assets, or package dependencies without recording why they are needed.