Skip to content

Dependency license awareness

KiCad MCP Pro is distributed under the MIT license. Third-party packages are tracked through manifests and lockfiles.

Policy

  • Keep the root LICENSE as the project license source of truth.
  • Review dependency updates for license changes when Renovate opens update PRs.
  • Do not vendor external code unless source, version, license, update procedure, and reason are documented.
  • Add a NOTICE file only if an asset or dependency requires attribution beyond the MIT license file.

Current evidence

Area Evidence
Project license LICENSE, pyproject.toml, package metadata
Python packages pyproject.toml, uv.lock
JavaScript packages package.json, pnpm-lock.yaml
Rust packages Cargo manifests and lockfiles where present
Dependency updates renovate.json with vulnerability alerts and lockfile maintenance
Dependency security audit scripts/audit_dependencies.py and security:audit

REUSE posture

The repository is not currently claiming full REUSE compliance. A future pass should run in report-only mode first, then become enforced only after a file-level policy is agreed.

Release evidence

When consumers need a formal dependency license report, generate it as release evidence next to SBOM, checksum, and provenance artifacts.