Skip to main content

0002. Dependency License Policy

Date: 2026-02-06

Status

Accepted

Context

Chaos Cypher is licensed under AGPL-3.0. While the project itself uses a copyleft license, we maintain a policy of using permissive licenses for all direct dependencies to keep the dependency tree clean and avoid license conflicts with the proprietary enterprise extension package.

A dependency audit revealed that PyMuPDF/pymupdf4llm is licensed under AGPL-3.0, which while compatible with Chaos Cypher's AGPL-3.0 license, would create issues for the proprietary enterprise edition. All other direct dependencies use permissive licenses (MIT, BSD, Apache-2.0, ISC, MPL-2.0, EPL-2.0).

Python Dependencies (Core)

PackageLicenseCompatible
sqlmodelMITYes
structlogMIT/Apache-2.0Yes
pydanticMITYes
platformdirsMITYes
sqlite-vecMITYes
anthropicMITYes
openaiApache-2.0Yes
pymupdf4llmAGPL-3.0No
unstructuredApache-2.0Yes
pyspellcheckerMITYes
simhashMITYes
ftfyApache-2.0Yes
trafilaturaApache-2.0Yes
python-dotenvBSD-3Yes
tqdmMIT/MPL-2.0Yes
httpxBSD-3Yes
jsonschemaMITYes
langchainMITYes
langchain-coreMITYes
langchain-text-splittersMITYes
langgraphMITYes
langchain-ollamaMITYes
langchain-openaiMITYes
langchain-anthropicMITYes
langchain-google-genaiMITYes
pypdfBSD-3Yes

Python Dependencies (Cortex/Neuron)

PackageLicenseCompatible
fastapiMITYes
uvicornBSD-3Yes
pydantic-settingsMITYes
bcryptApache-2.0Yes
PyJWTMITYes
PyYAMLMITYes
dynaconfMITYes
valkey (Python client)MITYes
arqMITRemoved
requestsApache-2.0Removed
beautifulsoup4MITRemoved
lxmlBSD-3Removed

Note: The Redis server (redis:7.4+) changed to RSALv2/SSPLv1. We use Valkey (BSD-3-Clause) as our Redis-compatible server. See ADR-0004.

Node.js Dependencies (Interface)

PackageLicenseCompatible
reactMITYes
typescriptApache-2.0Yes
viteMITYes
@mui/materialMITYes
@tanstack/react-queryMITYes
axiosMITYes
react-router-domMITYes
zustandMITYes

Decision

  1. Require permissive licenses only for all direct dependencies (MIT, BSD, Apache-2.0, ISC, MPL-2.0).
  2. Replace PyMuPDF/pymupdf4llm (AGPL-3.0) with pypdf (BSD-3) for PDF text extraction (see ADR-0003).
  3. Audit new dependencies before adding them to ensure license compatibility.

Rationale

  • While Chaos Cypher itself is AGPL-3.0, keeping dependencies permissive avoids license conflicts with the proprietary enterprise extension
  • AGPL-3.0 dependencies would require the enterprise edition to also be AGPL-3.0, preventing proprietary distribution
  • pypdf provides equivalent PDF text extraction under BSD-3, a permissive license
  • All other dependencies already use permissive licenses

Alternatives Considered

OptionProsCons
Keep PyMuPDFBetter markdown output, fasterAGPL contaminates entire codebase
pdfplumberGood table extractionGPL-3.0 (same problem)
pypdf (chosen)BSD-3, mature, well-maintainedPlain text only (no markdown structure)
pdfminer.sixMIT, detailed layoutSlower, more complex API

Consequences

Positive

  • License-clean codebase - All dependencies are permissively licensed
  • Commercial viability - No AGPL obligations for network deployment
  • Clear policy - Future dependency additions must pass license check

Negative

  • PDF quality reduction - pypdf extracts plain text, not structured markdown
  • Ongoing vigilance - Must check licenses when adding new dependencies

Neutral

  • Existing functionality preserved - PDF extraction still works, just produces plain text instead of markdown
  • Plugin architecture unchanged - Custom loaders can still use any library the user chooses

Note: The reflective auto-migrator described above was superseded in part on 2026-04-20. See ADR-0006 — Re-adopt Alembic.

References