software-inventory.md
1 # Software Inventory — FOSS Status, Licensing & Security Audits 2 3 **Last updated:** 2026-03-14 4 **Source:** [mmo-platform distributed-agent-system.md, Part 24](../../mmo-platform/docs/plans/distributed-agent-system.md) 5 6 --- 7 8 ## Non-FOSS Flags (action required before production) 9 10 | Software | Issue | Action | 11 | ------------------------ | ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 12 | **CAI (Alias Robotics)** | Non-commercial research license — commercial use requires paid license | Obtain commercial license from aliasrobotics.com before first production pen test run. **PentAGI** (MIT) is FOSS fallback — covers full kill chain, 20+ bundled tools, but has no published CTF benchmark data vs CAI's validated 99.04%. | 13 | **Better Stack** | Proprietary SaaS (log aggregation) | Replace with **Grafana Loki** (AGPL-3.0, self-hosted). Already using Grafana — Loki is a first-class datasource. Replace `rsyslog → TLS 6514` with `Promtail → HTTP → Loki`. | 14 | **Redis** | Was SSPL (non-OSI) from March 2024 | Use **Valkey** (BSD-3-Clause, Linux Foundation) — wire-compatible drop-in for Redis 7.2. Redis 8 is back to AGPL-3.0 but Valkey eliminates copyleft concerns entirely. | 15 16 --- 17 18 ## Full Inventory 19 20 | Software | License | Source | FOSS | Last Security Audit | 21 | ---------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------ | ---- | -------------------------------------------------------------------------- | 22 | PostgreSQL | PostgreSQL License (permissive, OSI) | [github.com/postgres/postgres](https://github.com/postgres/postgres) | ✅ | Continuous via core team; no single public audit | 23 | **Valkey** | BSD-3-Clause | [github.com/valkey-io/valkey](https://github.com/valkey-io/valkey) | ✅ | Linux Foundation governed; no formal audit | 24 | Grafana | AGPL-3.0 | [github.com/grafana/grafana](https://github.com/grafana/grafana) | ✅ | [Cure53, 2023](https://grafana.com/security/security-report/) | 25 | Grafana Loki | AGPL-3.0 | [github.com/grafana/loki](https://github.com/grafana/loki) | ✅ | Part of Grafana security program | 26 | Prometheus | Apache-2.0 | [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus) | ✅ | CNCF graduated; no standalone public audit | 27 | IronClaw | Apache-2.0 / MIT dual | [github.com/nearai/ironclaw](https://github.com/nearai/ironclaw) | ✅ | No formal audit — WASM + HMAC design-reviewed | 28 | Shannon | AGPL-3.0 (Lite) | [github.com/KeygraphHQ/shannon](https://github.com/KeygraphHQ/shannon) | ✅ | No formal audit | 29 | Strix | Apache-2.0 | [github.com/usestrix/strix](https://github.com/usestrix/strix) | ✅ | No formal audit | 30 | CAI (Alias Robotics) | Non-commercial research ⚠️ | [github.com/aliasrobotics/cai](https://github.com/aliasrobotics/cai) | ⚠️ | No formal audit | 31 | PentAGI (CAI fallback) | MIT | [github.com/vxcontrol/pentagi](https://github.com/vxcontrol/pentagi) | ✅ | No formal audit | 32 | NetBird | BSD-3-Clause | [github.com/netbirdio/netbird](https://github.com/netbirdio/netbird) | ✅ | WireGuard (underlying protocol) audited 2019 | 33 | Rosenpass | MIT / Apache-2.0 dual | [github.com/rosenpass/rosenpass](https://github.com/rosenpass/rosenpass) | ✅ | [Cure53, 2023](https://github.com/rosenpass/rosenpass/blob/main/audit/) ✅ | 34 | RustDesk | AGPL-3.0 | [github.com/rustdesk/rustdesk](https://github.com/rustdesk/rustdesk) | ✅ | No formal audit | 35 | LiteLLM | MIT | [github.com/BerriAI/litellm](https://github.com/BerriAI/litellm) | ✅ | No formal audit (obsolete in plan — Claude Max) | 36 | ClamAV | GPL-2.0 | [github.com/Cisco-Talos/clamav](https://github.com/Cisco-Talos/clamav) | ✅ | Cisco-maintained; no public third-party audit | 37 | Docker Engine | Apache-2.0 | [github.com/moby/moby](https://github.com/moby/moby) | ✅ | [containerd: Cure53, 2023](https://containerd.io/docs/security/) ✅ | 38 | Playwright | Apache-2.0 | [github.com/microsoft/playwright](https://github.com/microsoft/playwright) | ✅ | No formal audit | 39 | NixOS / nixpkgs | MIT | [github.com/NixOS/nixpkgs](https://github.com/NixOS/nixpkgs) | ✅ | Reproducible builds reduce supply chain risk; no single audit | 40 | MCP (Model Context Protocol) | Open standard (Linux Foundation) | [github.com/modelcontextprotocol](https://github.com/modelcontextprotocol) | ✅ | Anthropic internal review; no third-party audit | 41 | sops | Mozilla Public License 2.0 | [github.com/getsops/sops](https://github.com/getsops/sops) | ✅ | [Cure53, 2023](https://github.com/getsops/sops/blob/master/audit/) ✅ | 42 | Agency Agents | MIT | [github.com/msitarzewski/agency-agents](https://github.com/msitarzewski/agency-agents) | ✅ | No formal audit (markdown templates only) | 43 | PromptFoo | MIT | [github.com/promptfoo/promptfoo](https://github.com/promptfoo/promptfoo) | ✅ | No formal audit | 44 | Impeccable | Apache-2.0 | [github.com/pbakaus/impeccable](https://github.com/pbakaus/impeccable) | ✅ | No formal audit (skill files only) | 45 | OpenViking | Apache-2.0 | [github.com/volcengine/OpenViking](https://github.com/volcengine/OpenViking) | ✅ | No formal audit | 46 | MiroFish | AGPL-3.0 | [github.com/666ghj/MiroFish](https://github.com/666ghj/MiroFish) | ✅ | No formal audit | 47 | Heretic | AGPL-3.0 | [github.com/CardinalBlack/heretic-llm-jailbreaker](https://github.com/CardinalBlack/heretic-llm-jailbreaker) | ✅ | No formal audit | 48 49 --- 50 51 ## Audit Coverage Summary 52 53 4 tools have formal third-party security audits: 54 55 | Tool | Auditor | Year | Report | 56 | ------------------- | ------- | ---- | ---------------------------------------------------------------------------------------------------------- | 57 | Rosenpass | Cure53 | 2023 | [github.com/rosenpass/rosenpass/blob/main/audit/](https://github.com/rosenpass/rosenpass/blob/main/audit/) | 58 | Grafana | Cure53 | 2023 | [grafana.com/security/security-report/](https://grafana.com/security/security-report/) | 59 | containerd (Docker) | Cure53 | 2023 | [containerd.io/docs/security/](https://containerd.io/docs/security/) | 60 | sops | Cure53 | 2023 | [github.com/getsops/sops/blob/master/audit/](https://github.com/getsops/sops/blob/master/audit/) | 61 62 **Priority audit candidates** (highest risk, no audit yet): 63 64 1. **IronClaw** — agent runtime with WASM execution and secret access 65 2. **CAI** — autonomous pen tester running against our infrastructure 66 3. **NetBird** — VPN mesh connecting all nodes