This inventory records the current dependency and license posture for the Agentic Enterprise Readiness Profile.
It is intended for maintainers, reviewers, and AAIF/Linux Foundation-adjacent reviewers who need to understand whether the profile introduces dependency, license, or paid-service risk.
| Area | Current state |
|---|---|
| Repository license | MIT |
| Runtime dependencies | None declared |
| Development dependencies | None declared |
| Package manager lockfile | None required because no third-party packages are installed |
| Validation runtime | Node.js, using built-in fs and path modules |
| Network requirement for validation | None |
| Docker requirement for validation | None |
| Paid provider requirement | None |
The root package.json declares:
- package name:
agentic-enterprise-readiness-profile - license:
MIT - package type:
module - validation command:
npm test
The current package has no dependencies or devDependencies block.
The validator script is:
scripts/validate-readiness.mjs
It imports only Node.js built-in modules:
node:fsnode:path
The validator checks repository-local examples, templates, schema, and required docs. It does not call a network service, database, model provider, package registry, or container runtime.
The repository-level license is:
LICENSE- MIT
No third-party code bundles, vendored packages, generated SDKs, or copied external specification files are currently shipped in this repository.
If future versions add third-party dependencies, maintainers should update this inventory in the same pull request and include:
- package name
- package version or version range
- license identifier
- dependency type: runtime, development, documentation, or generated artifact
- reason the dependency is needed
- whether an OSS or built-in alternative was considered
Before a release can claim dependency-license inventory coverage:
package.jsonmust be reviewed for dependency changes.- Lockfiles, if introduced, must be reviewed.
- New vendored or generated files must be checked for source and license.
- This document must be updated when the dependency surface changes.
- The release notes must mention any new dependency or license posture change.
Current risk is low because the profile is documentation, schema, examples, and a built-in Node.js validator.
The main future risk is scope creep: adding web tooling, documentation frameworks, generated assets, or package dependencies without recording why they are needed.