{
  "id": "license_third_party_governance",
  "label": "License & Third-Party Governance Canonical",
  "phase": "phase-08",
  "category": "security_governance",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Define how DEVON-DEV governs licenses, allowed use, restricted use, attribution, commercial-use status and legal evidence for every third-party model, library, package, Docker image, snippet, template, UI dependency and server dependency.",
  "function": "Prevent third-party material from entering the platform as anonymous code by requiring dependency identity, source, version, license, allowed_use, restricted_use, commercial_use_allowed, attribution_required, security_status, FSM approval and evidence_path before promotion or reuse.",
  "license_contract": {
    "requires_dependency_id": true,
    "requires_package_name": true,
    "requires_source": true,
    "requires_version": true,
    "requires_license": true,
    "requires_allowed_use": true,
    "requires_restricted_use": true,
    "requires_commercial_use_allowed": true,
    "requires_attribution_required": true,
    "requires_security_status": true,
    "requires_approved_by_fsm": true,
    "requires_evidence_path": true,
    "covers_local_models": true,
    "covers_python_libraries": true,
    "covers_npm_packages": true,
    "covers_composer_packages": true,
    "covers_docker_images": true,
    "covers_external_snippets": true,
    "covers_external_templates": true,
    "covers_ui_dependencies": true,
    "covers_server_dependencies": true,
    "blocks_unknown_license": true,
    "blocks_unknown_source": true,
    "blocks_restricted_use_violation": true,
    "blocks_commercial_use_without_permission": true,
    "blocks_missing_attribution_when_required": true,
    "decision_authority": "NONE_FSM_DECIDES"
  },
  "governed_third_party_classes": [
    "local_models",
    "python_libraries",
    "npm_packages",
    "composer_packages",
    "docker_images",
    "external_snippets",
    "external_templates",
    "ui_dependencies",
    "server_dependencies",
    "model_weights",
    "base_images",
    "fonts_if_used",
    "icons_if_used",
    "datasets_if_used"
  ],
  "technology_requirements": [
    {
      "technology": "Third-Party Component Registry",
      "required_for": "Register third-party models, libraries, packages, images, snippets, templates and dependencies with identity, source, version, license, allowed use and restriction metadata.",
      "required_by_phase": "phase-08",
      "required_by_category": "license_third_party_governance",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until third-party component schema and registry storage exist",
      "validation_command": "MISSING until registry lookup can prove dependency_id, package_name, source, version, license, allowed_use, restricted_use and evidence_path",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/license_third_party_governance_canonical.json",
      "status_source": "Documentation Hub + future Third-Party Component Registry + Artifact Registry + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Third-Party Component Registry, DEVON-DEV cannot prove what external material it incorporated, where it came from or what usage restrictions govern it."
    },
    {
      "technology": "License Scanner",
      "required_for": "Detect declared and inferred licenses for npm, pip, composer, Docker image, model, snippet, template, UI and server dependencies.",
      "required_by_phase": "phase-08",
      "required_by_category": "license_third_party_governance",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until scanner adapter policy and target mapping exist",
      "validation_command": "MISSING until license scan can prove target_type, package_name, version, license, source, confidence, restriction and evidence_path",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/license_third_party_governance_canonical.json",
      "status_source": "Documentation Hub + future License Scanner + Dependency Inventory Registry + Execution Logs",
      "blocking_if_missing": true,
      "failure_impact": "Without License Scanner, license evaluation depends on manual reading and can miss transitive or embedded third-party restrictions."
    },
    {
      "technology": "SBOM",
      "required_for": "Produce a software bill of materials that connects packages, versions, images, source origins, license signals and promotion evidence.",
      "required_by_phase": "phase-08",
      "required_by_category": "license_third_party_governance",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until SBOM generation and artifact linkage exist",
      "validation_command": "MISSING until SBOM generation can prove components, versions, licenses, source origins, image digest and artifact reference",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/license_third_party_governance_canonical.json",
      "status_source": "Documentation Hub + future SBOM Generator + Artifact Registry + Container Image Registry",
      "blocking_if_missing": false,
      "failure_impact": "Without SBOM, DEVON-DEV can register individual dependencies but lacks a complete bill of materials for release, audit and incident review."
    },
    {
      "technology": "Model License Registry",
      "required_for": "Track license, allowed use, commercial-use state, attribution and restrictions for local model weights, embeddings models, auxiliary models and future model artifacts.",
      "required_by_phase": "phase-08",
      "required_by_category": "license_third_party_governance",
      "required_by_buckets": [
        "Prerequisites",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until model artifact license metadata and use-policy checks exist",
      "validation_command": "MISSING until model license check can prove model_id, model_name, source_url, license, commercial_use_allowed, restrictions and promotion status",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/license_third_party_governance_canonical.json",
      "status_source": "Documentation Hub + future Model Artifact Registry + ModelOps / LLMOps Registry + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Model License Registry, DEVON-DEV can load or promote a local model without knowing whether its intended use is legally compatible."
    },
    {
      "technology": "License Promotion Gate",
      "required_for": "Block dependency, model, image, snippet, template or package promotion when license, attribution, commercial-use or restricted-use status is missing or incompatible.",
      "required_by_phase": "phase-08",
      "required_by_category": "license_third_party_governance",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until FSM gate integration and approval override path exist",
      "validation_command": "MISSING until license gate can prove license_status, allowed_use, restricted_use, attribution_required, fsm_decision, approval state and audit_record_id",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/license_third_party_governance_canonical.json",
      "status_source": "Documentation Hub + future FSM Decision Core + Compliance Guardrails + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without License Promotion Gate, DEVON-DEV can know a third-party component has restrictions and still promote it because license evidence is not connected to execution blocking."
    }
  ],
  "depends_on": [
    "sec",
    "rbac_permissions",
    "secrets_management",
    "multi_project_isolation",
    "data_governance",
    "compliance_legal_guardrails",
    "dependency_vulnerability_scanner",
    "model_artifact_registry",
    "container_image_registry_build_pipeline",
    "artifact_registry",
    "source_trust_registry",
    "evidence_store",
    "execution_ledger",
    "audit_trail",
    "fsm_absolute_decision",
    "decision_rule_registry",
    "architecture_source_registry"
  ],
  "used_by": [
    "dependency_vulnerability_scanner",
    "modelops_llmops",
    "model_artifact_registry",
    "container_image_registry_build_pipeline",
    "host_security",
    "app_security",
    "module_security",
    "runtime_security",
    "delivery_security",
    "compliance_legal_guardrails",
    "production_deployment_gate",
    "future_execution_monitoring_panel"
  ]
}
