Dependency license policy

KGLite’s source code and independently authored Cypher contract cases are MIT licensed. The project does not copy, translate, vendor, execute, or derive its tests from the Apache-licensed openCypher TCK. Compatibility behavior is implemented from public language descriptions and independently written cases.

That clean-room boundary is separate from ordinary software dependencies. KGLite retains several reviewed permissive dependencies whose own metadata is Apache-2.0 or MPL-2.0, including the MCP protocol implementation. Their use does not change KGLite’s MIT license, but their notices and license metadata must remain visible in distributed SBOMs and source packages.

python scripts/check_dependency_licenses.py audits the locked, all-feature Cargo graph offline. It fails on missing metadata, unknown license expressions, strong copyleft/non-commercial terms without an independently selectable MIT branch, new Apache/MPL-only packages, stale reviewed exceptions, non-SPDX Python metadata, or missing KGLite LICENSE files in publishable crate roots. The reviewed package list lives in tests/api-baselines/dependency-licenses.json; changes require an explicit license review rather than an automatic refresh.