docs: add third-party license audit report by fmueller · Pull Request #26 · fmueller/scribae

fmueller · 2026-02-21T11:24:38Z

Provide a repository-level audit that checks third-party dependency licenses from the lockfile against the project's Apache-2.0 license to surface potential incompatibilities and compliance tasks.

Add THIRD_PARTY_LICENSE_AUDIT.md which documents scope, methodology, and a per-dependency license table derived from the uv.lock closure (runtime + translation extra + dev).
The report flags file-level copyleft (MPL-2.0) packages (certifi, pathspec, tqdm) and one package with missing/unknown metadata (sentencepiece) and enumerates 25 lockfile packages that were not resolvable in this environment and need manual verification.
The report includes a concise compliance checklist advising to retain LICENSE and include third-party notices / upstream license texts when bundling dependencies.

Ran uv run ruff check and all checks passed.
Ran uv run mypy and type checks passed (no issues reported).
Ran uv run pytest and all tests passed (180 passed).
Attempted uv sync --locked --all-extras --dev but it failed in this environment due to network/tunnel errors preventing download of some packages (notably torch and several CUDA-related deps), so those packages are listed in the audit as requiring manual verification before release.

docs: add third-party license audit report

8cd027c

fmueller added the codex label Feb 21, 2026 — with ChatGPT Codex Connector

fmueller merged commit 0757e6f into main Feb 21, 2026
3 checks passed

fmueller deleted the codex/verify-library-licenses-against-apache-2 branch February 21, 2026 11:58

Provide feedback