Dependency License Inventory — Engramia (Core)¶
Generated: 2026-04-30 | Engramia version: 0.6.6.dev0+gf2158879f.d20260404
Runtime Python dependencies that ship with the engramia wheel and Docker image. Auto-generated by scripts/audit_licenses.py against a fresh venv installed with pip install ".[all]" (runtime extras only — no dev, docs, or test tooling). Do not edit manually; CI will reject drift.
Frontend dependencies (Next.js admin dashboard) ship in a separate Docker image and are audited in the Dashboard repo: engramia/dashboard → docs/legal/DEPENDENCY_LICENSES.md.
Summary¶
| Count | |
|---|---|
| Python packages (runtime transitive closure) | 209 |
| 🔴 HIGH — must resolve before release | 0 |
| 🟡 MEDIUM — review required | 1 |
| 🟠 LOW — safe, note only | 3 |
| ⚠️ UNKNOWN — verify manually | 5 |
| ✅ OK | 200 |
Result: no blocking issues. 5 package(s) have unrecognized license metadata and need manual review.
Flagged packages¶
| Risk | Package | Version | License | Assessment |
|---|---|---|---|---|
| 🟡 MEDIUM | psycopg2-binary | 2.9.11 | GNU Library or Lesser General Public License (LGPL) | LGPL — Python import model is dynamic linking, copyleft does not propagate. Unmodified commercial use is safe. Widely used in commercial products. |
| 🟠 LOW | certifi | 2026.2.25 | Mozilla Public License 2.0 (MPL 2.0) | MPL-2.0 — file-level copyleft only. Unmodified commercial use is safe; only modified MPL files must be shared. |
| 🟠 LOW | pathspec | 1.0.4 | Mozilla Public License 2.0 (MPL 2.0) | MPL-2.0 — file-level copyleft only. Unmodified commercial use is safe; only modified MPL files must be shared. |
| 🟠 LOW | tqdm | 4.67.3 | MPL-2.0 AND MIT | MPL-2.0 — file-level copyleft only. Unmodified commercial use is safe; only modified MPL files must be shared. |
| ⚠️ UNKNOWN | agent-brain | 0.1.0 | TBD | License metadata missing or unrecognized. Verify manually before release. |
| ⚠️ UNKNOWN | audit-pipeline | 0.1.0 | UNKNOWN | License metadata missing or unrecognized. Verify manually before release. |
| ⚠️ UNKNOWN | hindsight-client | 0.5.4 | UNKNOWN | License metadata missing or unrecognized. Verify manually before release. |
| ⚠️ UNKNOWN | remanence | 0.5.0 | Other/Proprietary License | License metadata missing or unrecognized. Verify manually before release. |
| ⚠️ UNKNOWN | stop-sequencer | 1.2.3 | UNKNOWN | License metadata missing or unrecognized. Verify manually before release. |
Full list¶
| Package | Version | License | Risk |
|---|---|---|---|
| agent-brain | 0.1.0 | TBD | ⚠️ |
| aiohappyeyeballs | 2.6.1 | Python Software Foundation License | ✅ |
| aiohttp | 3.13.5 | Apache-2.0 AND MIT | ✅ |
| aiohttp-retry | 2.9.1 | MIT License | ✅ |
| aiosignal | 1.4.0 | Apache Software License | ✅ |
| annotated-doc | 0.0.4 | MIT | ✅ |
| annotated-types | 0.7.0 | MIT License | ✅ |
| anthropic | 0.89.0 | MIT License | ✅ |
| anyio | 4.12.1 | MIT | ✅ |
| appdirs | 1.4.4 | MIT License | ✅ |
| attrs | 26.1.0 | MIT | ✅ |
| audit-pipeline | 0.1.0 | UNKNOWN | ⚠️ |
| autogen-agentchat | 0.7.5 | MIT License | ✅ |
| autogen-core | 0.7.5 | MIT License | ✅ |
| babel | 2.18.0 | BSD License | ✅ |
| backoff | 2.2.1 | MIT License | ✅ |
| backrefs | 6.2 | MIT | ✅ |
| bandit | 1.9.4 | Apache-2.0 | ✅ |
| bcrypt | 5.0.0 | Apache Software License | ✅ |
| boolean.py | 5.0 | BSD-2-Clause | ✅ |
| CacheControl | 0.14.4 | Apache-2.0 | ✅ |
| certifi | 2026.2.25 | Mozilla Public License 2.0 (MPL 2.0) | 🟠 |
| cffi | 2.0.0 | MIT | ✅ |
| charset-normalizer | 3.4.6 | MIT | ✅ |
| click | 8.3.1 | BSD-3-Clause | ✅ |
| colorama | 0.4.6 | BSD License | ✅ |
| coverage | 7.13.5 | Apache-2.0 | ✅ |
| cryptography | 46.0.6 | Apache-2.0 OR BSD-3-Clause | ✅ |
| cyclonedx-python-lib | 11.7.0 | Apache Software License | ✅ |
| datasets | 4.8.4 | Apache Software License | ✅ |
| defusedxml | 0.7.1 | Python Software Foundation License | ✅ |
| dill | 0.4.1 | BSD License | ✅ |
| distro | 1.9.0 | Apache Software License | ✅ |
| dnspython | 2.8.0 | ISC License (ISCL) | ✅ |
| docker | 7.1.0 | Apache-2.0 | ✅ |
| docstring_parser | 0.17.0 | MIT License | ✅ |
| email-validator | 2.3.0 | The Unlicense (Unlicense) | ✅ |
| evalplus | 0.3.1 | Apache Software License | ✅ |
| fastapi | 0.135.1 | MIT | ✅ |
| fastapi-cli | 0.0.24 | MIT | ✅ |
| fastapi-cloud-cli | 0.15.0 | MIT License | ✅ |
| fastar | 0.9.0 | MIT | ✅ |
| filelock | 3.25.2 | MIT | ✅ |
| fire | 0.7.1 | Apache-2.0 | ✅ |
| frozenlist | 1.8.0 | Apache-2.0 | ✅ |
| fsspec | 2026.2.0 | BSD-3-Clause | ✅ |
| ghp-import | 2.1.0 | Apache Software License | ✅ |
| git-filter-repo | 2.47.0 | MIT License | ✅ |
| gitdb | 4.0.12 | BSD License | ✅ |
| GitPython | 3.1.46 | BSD-3-Clause | ✅ |
| google-ai-generativelanguage | 0.6.15 | Apache Software License | ✅ |
| google-api-core | 2.25.2 | Apache Software License | ✅ |
| google-api-python-client | 2.194.0 | Apache Software License | ✅ |
| google-auth | 2.49.2 | Apache Software License | ✅ |
| google-auth-httplib2 | 0.3.1 | Apache Software License | ✅ |
| google-generativeai | 0.8.6 | Apache Software License | ✅ |
| googleapis-common-protos | 1.74.0 | Apache Software License | ✅ |
| greenlet | 3.3.2 | MIT AND PSF-2.0 | ✅ |
| griffelib | 2.0.2 | ISC | ✅ |
| grpcio | 1.80.0 | Apache-2.0 | ✅ |
| grpcio-status | 1.71.2 | Apache Software License | ✅ |
| h11 | 0.16.0 | MIT License | ✅ |
| h2 | 4.3.0 | MIT License | ✅ |
| hatch-vcs | 0.5.0 | MIT | ✅ |
| hatchling | 1.29.0 | MIT | ✅ |
| hf-xet | 1.4.2 | Apache-2.0 | ✅ |
| hindsight-client | 0.5.4 | UNKNOWN | ⚠️ |
| hpack | 4.1.0 | MIT License | ✅ |
| httpcore | 1.0.9 | BSD-3-Clause | ✅ |
| httplib2 | 0.31.2 | MIT License | ✅ |
| httptools | 0.7.1 | MIT | ✅ |
| httpx | 0.28.1 | BSD License | ✅ |
| httpx-sse | 0.4.3 | MIT | ✅ |
| huggingface_hub | 1.8.0 | Apache Software License | ✅ |
| hyperframe | 6.1.0 | MIT License | ✅ |
| idna | 3.11 | BSD-3-Clause | ✅ |
| importlib_metadata | 8.7.1 | Apache-2.0 | ✅ |
| iniconfig | 2.3.0 | MIT | ✅ |
| Jinja2 | 3.1.6 | BSD License | ✅ |
| jiter | 0.13.0 | MIT License | ✅ |
| joblib | 1.5.3 | BSD-3-Clause | ✅ |
| jsonref | 1.1.0 | MIT | ✅ |
| jsonschema | 4.26.0 | MIT | ✅ |
| jsonschema-specifications | 2025.9.1 | MIT | ✅ |
| librt | 0.8.1 | MIT License | ✅ |
| license-expression | 30.4.4 | Apache-2.0 | ✅ |
| Markdown | 3.10.2 | BSD-3-Clause | ✅ |
| markdown-it-py | 4.0.0 | MIT License | ✅ |
| MarkupSafe | 3.0.3 | BSD-3-Clause | ✅ |
| mcp | 1.27.0 | MIT License | ✅ |
| mdurl | 0.1.2 | MIT License | ✅ |
| mem0ai | 2.0.0 | Apache-2.0 | ✅ |
| mergedeep | 1.3.4 | MIT License | ✅ |
| mkdocs | 1.6.1 | BSD-2-Clause | ✅ |
| mkdocs-get-deps | 0.2.2 | MIT | ✅ |
| mkdocs-material | 9.7.6 | MIT | ✅ |
| mkdocs-material-extensions | 1.3.1 | MIT | ✅ |
| mpmath | 1.3.0 | BSD License | ✅ |
| msgpack | 1.1.2 | Apache-2.0 | ✅ |
| multidict | 6.7.1 | Apache License 2.0 | ✅ |
| multipledispatch | 1.0.0 | BSD | ✅ |
| multiprocess | 0.70.19 | BSD License | ✅ |
| mypy | 1.19.1 | MIT License | ✅ |
| mypy_extensions | 1.1.0 | MIT | ✅ |
| networkx | 3.6.1 | BSD-3-Clause | ✅ |
| numpy | 2.4.3 | BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0 | ✅ |
| openai | 2.26.0 | Apache Software License | ✅ |
| openai-agents | 0.13.5 | MIT | ✅ |
| opentelemetry-api | 1.40.0 | Apache-2.0 | ✅ |
| packageurl-python | 0.17.6 | MIT License | ✅ |
| packaging | 26.0 | Apache-2.0 OR BSD-2-Clause | ✅ |
| paginate | 0.5.7 | MIT License | ✅ |
| pandas | 3.0.2 | BSD License | ✅ |
| pathspec | 1.0.4 | Mozilla Public License 2.0 (MPL 2.0) | 🟠 |
| pgvector | 0.4.2 | MIT | ✅ |
| pillow | 12.2.0 | MIT-CMU | ✅ |
| pip-api | 0.0.34 | Apache Software License | ✅ |
| pip-requirements-parser | 32.0.1 | MIT | ✅ |
| pip_audit | 2.10.0 | Apache Software License | ✅ |
| platformdirs | 4.9.4 | MIT | ✅ |
| pluggy | 1.6.0 | MIT License | ✅ |
| portalocker | 3.2.0 | BSD-3-Clause | ✅ |
| posthog | 7.13.0 | MIT License | ✅ |
| propcache | 0.4.1 | Apache Software License | ✅ |
| proto-plus | 1.27.2 | Apache Software License | ✅ |
| protobuf | 5.29.6 | 3-Clause BSD License | ✅ |
| psutil | 7.2.2 | BSD-3-Clause | ✅ |
| psycopg2-binary | 2.9.11 | GNU Library or Lesser General Public License (LGPL) | 🟡 |
| py-serializable | 2.1.0 | Apache Software License | ✅ |
| pyarrow | 24.0.0 | Apache-2.0 | ✅ |
| pyasn1 | 0.6.3 | BSD-2-Clause | ✅ |
| pyasn1_modules | 0.4.2 | BSD License | ✅ |
| pycparser | 3.0 | BSD-3-Clause | ✅ |
| pydantic | 2.12.5 | MIT | ✅ |
| pydantic-extra-types | 2.11.1 | MIT | ✅ |
| pydantic-settings | 2.13.1 | MIT | ✅ |
| pydantic_core | 2.41.5 | MIT | ✅ |
| Pygments | 2.19.2 | BSD License | ✅ |
| PyJWT | 2.12.1 | MIT | ✅ |
| pymdown-extensions | 10.21 | MIT | ✅ |
| pyparsing | 3.3.2 | MIT | ✅ |
| pytest | 9.0.2 | MIT | ✅ |
| pytest-asyncio | 1.3.0 | Apache-2.0 | ✅ |
| pytest-cov | 7.1.0 | MIT | ✅ |
| python-dateutil | 2.9.0.post0 | Apache Software License; BSD License | ✅ |
| python-dotenv | 1.2.2 | BSD-3-Clause | ✅ |
| python-multipart | 0.0.22 | Apache-2.0 | ✅ |
| pytz | 2026.1.post1 | MIT License | ✅ |
| pywin32 | 311 | Python Software Foundation License | ✅ |
| PyYAML | 6.0.3 | MIT License | ✅ |
| pyyaml_env_tag | 1.1 | MIT | ✅ |
| qdrant-client | 1.17.1 | Apache Software License | ✅ |
| referencing | 0.37.0 | MIT | ✅ |
| regex | 2026.2.28 | Apache-2.0 AND CNRI-Python | ✅ |
| remanence | 0.5.0 | Other/Proprietary License | ⚠️ |
| requests | 2.33.0 | Apache Software License | ✅ |
| rich | 14.3.3 | MIT License | ✅ |
| rich-toolkit | 0.19.7 | MIT | ✅ |
| rignore | 0.7.6 | MIT | ✅ |
| rpds-py | 0.30.0 | MIT | ✅ |
| ruff | 0.15.7 | MIT | ✅ |
| safetensors | 0.7.0 | Apache Software License | ✅ |
| scikit-learn | 1.8.0 | BSD-3-Clause | ✅ |
| scipy | 1.17.1 | BSD License | ✅ |
| sentence-transformers | 5.3.0 | Apache Software License | ✅ |
| sentry-sdk | 2.55.0 | BSD License | ✅ |
| setuptools-scm | 10.0.5 | MIT | ✅ |
| shellingham | 1.5.4 | ISC License (ISCL) | ✅ |
| six | 1.17.0 | MIT License | ✅ |
| smmap | 5.0.3 | BSD License | ✅ |
| sniffio | 1.3.1 | Apache Software License; MIT License | ✅ |
| sortedcontainers | 2.4.0 | Apache Software License | ✅ |
| SQLAlchemy | 2.0.48 | MIT | ✅ |
| sse-starlette | 3.3.4 | BSD-3-Clause | ✅ |
| starlette | 0.52.1 | BSD-3-Clause | ✅ |
| stevedore | 5.7.0 | Apache Software License | ✅ |
| stop-sequencer | 1.2.3 | UNKNOWN | ⚠️ |
| sympy | 1.14.0 | BSD License | ✅ |
| tempdir | 0.7.1 | MIT License | ✅ |
| termcolor | 3.3.0 | MIT | ✅ |
| testcontainers | 4.14.2 | Apache-2.0 | ✅ |
| threadpoolctl | 3.6.0 | BSD License | ✅ |
| tiktoken | 0.12.0 | MIT License |
Copyright (c) 2022 OpenAI, Shantanu Jain
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ✅ | | tokenizers | 0.22.2 | Apache Software License | ✅ | | tomli | 2.4.1 | MIT | ✅ | | tomli_w | 1.2.0 | MIT License | ✅ | | torch | 2.11.0 | BSD-3-Clause | ✅ | | tqdm | 4.67.3 | MPL-2.0 AND MIT | 🟠 | | transformers | 5.4.0 | Apache 2.0 License | ✅ | | tree-sitter | 0.25.2 | MIT License | ✅ | | tree-sitter-python | 0.25.0 | MIT | ✅ | | trove-classifiers | 2026.1.14.14 | Apache Software License | ✅ | | typer | 0.24.1 | MIT | ✅ | | types-requests | 2.33.0.20260402 | Apache-2.0 | ✅ | | typing-inspection | 0.4.2 | MIT | ✅ | | typing_extensions | 4.15.0 | PSF-2.0 | ✅ | | tzdata | 2026.1 | Apache-2.0 | ✅ | | uritemplate | 4.2.0 | BSD 3-Clause OR Apache-2.0 | ✅ | | urllib3 | 2.6.3 | MIT | ✅ | | uvicorn | 0.42.0 | BSD-3-Clause | ✅ | | vcs-versioning | 1.1.1 | MIT | ✅ | | watchdog | 6.0.0 | Apache Software License | ✅ | | watchfiles | 1.1.1 | MIT License | ✅ | | websockets | 16.0 | BSD-3-Clause | ✅ | | wget | 3.2 | Public Domain | ✅ | | wrapt | 2.1.2 | BSD-2-Clause | ✅ | | xxhash | 3.6.0 | BSD License | ✅ | | yarl | 1.23.0 | Apache-2.0 | ✅ | | zipp | 3.23.0 | MIT | ✅ |
Update process¶
- Release time —
prepare-release.ymlinstalls the runtime extras into a clean venv and runs this script; the refreshed file is committed alongside the new LICENSE.txt before the release tag is pushed. - Pull requests —
ci.ymlrunspython scripts/audit_licenses.py --checkto fail if this file is stale after a dependency change. - Manual refresh —
pip install ".[all]" pip-licensesin a clean venv, thenpython scripts/audit_licenses.py.
Auto-generated. Do not edit manually.