This page lists every transitive dependency in the 273v/kaos-* ecosystem whose license requires a policy decision. Each entry is one of two kinds:
- Approved exception — a real non-permissive license where the obligations have been reviewed and accepted; the dashboard treats the component as green-with-asterisk. The rationale below is the public audit trail.
- Parser gap — a component whose license is permissive and known but the SBOM parser currently can’t extract it. Tracked here so the coverage decision is visible; packages stay green when every unknown component has a documented parser-gap entry.
The full triage that produced these entries lives at docs/LICENSE-AUDIT.md. The machine-readable source is at policy/license-allowlist.yaml.
How license metadata is collected
Detection is a four-step pipeline; every component on this page has walked through it in order:
- uv.lock parser —
collector/sbom.py::parse_uv_lockreads each resolution and emits a CycloneDX 1.5 component with the PyPI-declared SPDX expression (PEP 639license_expressionwhen present; otherwise the legacy classifier-derived expression). - PyPI JSON enrichment —
https://pypi.org/pypi/<pkg>/<ver>/jsoninfo.license_expressionbackfills components whose lockfile metadata is missing or non-SPDX. This is the supplier-of-record for Python deps. - crates.io enrichment — for Rust
components,
https://crates.io/api/v1/crates/<crate>carries the SPDX expression thatCargo.lockdrops. This single pass eliminates the largest source of yellow pills on the dashboard. - Offline license book — a hand-curated
fallback for components whose PyPI metadata is missing or
malformed (see
collector/sbom.py::apply_offline_license_book). Only touches components whose SPDX is stillLicenseRef-unknown-*after the previous three steps.
A ScanCode-toolkit pass for the residual parser-gap set is the next planned step (tracked in docs/research/08-followup.md); today every remaining unresolved component is listed in the parser-gap table below with the true license stated openly.
Reviewer pool and attestation
Every approved exception below is reviewed by a named maintainer. Today the reviewer pool is:
- mjbommar
Single-reviewer attestation, acknowledged.
Exceptions on this page are currently reviewed by one named
maintainer. This is a sole-signer pattern; a two-of-N signoff is
the next governance step (tracked as F2 in
docs/research/08-followup.md).
Until a second reviewer is wired into CODEOWNERS, treat every
rationale here as a one-person claim — the rationale text +
audit-ref link is the public audit trail, not a quorum.
Approved exceptions (5)
certifi, webpki-roots MPL-2.0
- SPDX
- MPL-2.0
- Components
- certifiwebpki-roots
- Live repos
- kaos-agentskaos-citationskaos-contentkaos-corekaos-graphkaos-llm-clientkaos-llm-corekaos-mcpkaos-ml-corekaos-nlp-corekaos-nlp-transformerskaos-officekaos-pdfkaos-sourcekaos-tabularkaos-web
- Audit ref
- docs/LICENSE-AUDIT.md §A.1
- Reviewed
- 2026-05-11
certifi ships the Mozilla CA bundle as cacert.pem plus a 30-line Python wrapper. MPL-2.0 is file-scoped (MPL-2.0 §3.3): obligations attach to the modified file, not the consuming codebase. We ship cacert.pem unmodified. This is the same posture requests, httpx, urllib3, aiohttp, boto3 take; Mozilla's own MPL FAQ confirms this interpretation. Standard enterprise legal-review outcome.
tqdm MPL-2.0 AND MIT
- SPDX
- MPL-2.0 AND MIT
- Components
- tqdm
- Live repos
- kaos-agentskaos-contentkaos-ml-corekaos-nlp-transformers
- Audit ref
- docs/LICENSE-AUDIT.md §A.2
- Reviewed
- 2026-05-11
tqdm is dual-licensed. The MPL-2.0 component is file-scoped to a single source file (the sub-interval feature) which we do not modify. The MIT track covers the entire public API. Used by ~5B downloads across the Python ecosystem with this posture.
r-efi MPL-2.0
- SPDX
- MPL-2.0
- Components
- r-efi
- Live repos
- kaos-graphkaos-nlp-corekaos-nlp-transformers
- Audit ref
- docs/LICENSE-AUDIT.md §A.3
- Reviewed
- 2026-05-11
r-efi is a UEFI bindings crate pulled transitively by getrandom only on UEFI targets. Our wheel matrix builds for linux, macOS, and Windows — never UEFI — so r-efi is in the resolver graph but never compiled into shipped binaries. No practical MPL-2.0 obligations attach. A stricter alternative is a cargo-deny exclude rule; tracked as future hygiene work.
hypothesis MPL-2.0
- SPDX
- MPL-2.0
- Components
- hypothesis
- Live repos
- kaos-content
- Audit ref
- docs/LICENSE-AUDIT.md §A.4
- Reviewed
- 2026-05-11
hypothesis is a dev/test-only dependency declared in [dependency-groups].dev, never in [project].dependencies. A consumer who pip-installs kaos-content does not receive hypothesis. MPL-2.0 obligations cannot reach a shipped wheel.
option-ext MPL-2.0
- SPDX
- MPL-2.0
- Components
- option-ext
- Live repos
- kaos-nlp-transformers
- Audit ref
- docs/LICENSE-AUDIT.md §A.5
- Reviewed
- 2026-05-11
option-ext is an 87-line Rust crate adding Option extension methods, pulled transitively via dirs → dirs-sys → option-ext. We ship it unmodified inside the kaos-nlp-transformers Rust binary; MPL-2.0 file-scoped obligations don't propagate. Future work: remove the dirs dependency entirely to drop this branch.
Parser gaps (70)
These components have known permissive licenses but the SBOM parser currently can't extract them. They are documented policy coverage, so packages remain green while the listed parser fix strategy is tracked.
| Component | True license | Affected | Fix strategy |
|---|---|---|---|
icu_collections |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
icu_locale_core |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
icu_properties |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
icu_properties_data |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
icu_provider |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
litemap |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
potential_utf |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
tinystr |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
writeable |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
yoke |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
yoke-derive |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
zerofrom |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
zerofrom-derive |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
zerotrie |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
zerovec |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
zerovec-derive |
Unicode-3.0 | kaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list |
target-lexicon |
Apache-2.0 WITH LLVM-exception | kaos-graphkaos-ml-corekaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wasip2 |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-graphkaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wasip3 |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wasm-encoder |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wasm-metadata |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wasmparser |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wit-bindgen |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-graphkaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wit-bindgen-core |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wit-bindgen-rust |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wit-bindgen-rust-macro |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wit-component |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
wit-parser |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | Add LLVM-exception to SPDX exceptions set |
unicode-ident |
(MIT OR Apache-2.0) AND Unicode-3.0 | kaos-graphkaos-ml-corekaos-nlp-corekaos-nlp-transformers | Add Unicode-3.0 + parenthesized-group support to compound parser |
scipy |
BSD-3-Clause | kaos-contentkaos-ml-core | Widen text-mine window from 600 to 2048 chars |
playwright |
Apache-2.0 | kaos-sourcekaos-web | Offline license book fallback; upstream PR to populate info.license_expression |
polars |
MIT | kaos-content | Widen text-mine window |
imagehash |
BSD-2-Clause | kaos-content | Widen text-mine window |
regex |
Apache-2.0 OR MIT | kaos-agentskaos-citations | Investigate — both license_expression and license should be populated upstream |
azure-core |
MIT | kaos-llm-client | Offline license book fallback |
azure-identity |
MIT | kaos-llm-client | Offline license book fallback |
fnv |
Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
winapi |
MIT OR Apache-2.0 | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
winapi-i686-pc-windows-gnu |
MIT OR Apache-2.0 | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
winapi-x86_64-pc-windows-gnu |
MIT OR Apache-2.0 | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
walkdir |
Unlicense OR MIT | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
same-file |
Unlicense OR MIT | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
linux-raw-sys |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry; LLVM-exception support already landed |
rustix |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry; LLVM-exception support already landed |
version_check |
MIT OR Apache-2.0 | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
page_size |
MIT OR Apache-2.0 | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
id-arena |
MIT | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
blake3 |
CC0-1.0 OR Apache-2.0 | kaos-nlp-core | crates.io enrichment retry |
fst |
Unlicense OR MIT | kaos-nlp-core | crates.io enrichment retry |
quick-error |
MIT OR Apache-2.0 | kaos-nlp-core | crates.io enrichment retry |
rusty-fork |
MIT OR Apache-2.0 | kaos-nlp-core | crates.io enrichment retry |
siphasher |
MIT OR Apache-2.0 | kaos-nlp-core | crates.io enrichment retry |
utf8-ranges |
Unlicense OR MIT | kaos-nlp-core | crates.io enrichment retry |
wait-timeout |
MIT OR Apache-2.0 | kaos-nlp-core | crates.io enrichment retry |
zstd-sys |
MIT OR Apache-2.0 | kaos-nlp-core | crates.io enrichment retry |
base64 |
MIT OR Apache-2.0 | kaos-nlp-transformers | crates.io enrichment retry |
icu_normalizer |
Unicode-3.0 | kaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list (already landed in collector/sbom.py) |
icu_normalizer_data |
Unicode-3.0 | kaos-nlp-transformers | Add Unicode-3.0 to SPDX canonical list (already landed in collector/sbom.py) |
ident_case |
MIT OR Apache-2.0 | kaos-nlp-transformers | crates.io enrichment retry |
matrixmultiply |
MIT OR Apache-2.0 | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
minimal-lexical |
MIT OR Apache-2.0 | kaos-nlp-transformers | crates.io enrichment retry |
rawpointer |
MIT OR Apache-2.0 | kaos-nlp-corekaos-nlp-transformers | crates.io enrichment retry |
rayon-cond |
MIT OR Apache-2.0 | kaos-nlp-transformers | crates.io enrichment retry |
serde_urlencoded |
MIT OR Apache-2.0 | kaos-nlp-transformers | crates.io enrichment retry |
socks |
MIT OR Apache-2.0 | kaos-nlp-transformers | crates.io enrichment retry |
unicode-normalization-alignments |
MIT OR Apache-2.0 | kaos-nlp-transformers | crates.io enrichment retry |
wasi |
Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT | kaos-nlp-transformers | crates.io enrichment retry; LLVM-exception support already landed |
webpki-roots |
MPL-2.0 | kaos-nlp-transformers | Mozilla CA roots, same posture as certifi — should land in allowed_expressions |
protobuf |
Apache-2.0 | kaos-agents | PyPI license metadata gap; offline license book fallback |
py-rust-stemmers |
BSD-3-Clause | kaos-agents | PyPI license metadata gap |
How an exception gets added
- A new transitive dependency lands with a license that isn't already permissive or already in the allowlist.
- The dashboard's License pill turns yellow for the affected package. The per-package page lists the component name.
- The maintainer opens an entry in docs/LICENSE-AUDIT.md under the appropriate section with one of four dispositions: ALLOW / RESOLVE / REMOVE / OPTIONAL.
- If ALLOW, the maintainer adds a matching row to policy/license-allowlist.yaml with public rationale + review date.
- The dashboard's next sweep reads the updated policy and reclassifies the pill to green-with-asterisk; this page shows the rationale.
No exception is silent. Every approval has a public audit row, a public rationale, a review date, and a list of currently affected repositories. If you find an entry whose rationale doesn't hold, please open an issue.