# MuseHub Dependency License Audit

**Date: 2026-04-05**
**MuseHub version: current**

This document records the license of each direct dependency. All licenses listed are compatible with MuseHub's distribution model (server-side SaaS deployment, not binary redistribution).

---

## Direct Dependencies

| Package | Version range | License | OSI approved | Notes |
|---------|--------------|---------|:---:|-------|
| fastapi | >=0.135.1 | MIT | Yes | Web framework |
| jinja2 | >=3.1.6 | BSD-3-Clause | Yes | HTML templating |
| aiofiles | >=25.1.0 | Apache-2.0 | Yes | Async file I/O |
| uvicorn | >=0.42.0 | BSD-3-Clause | Yes | ASGI server |
| httpx | >=0.28.1 | BSD-3-Clause | Yes | Async HTTP client |
| pydantic | >=2.12.5 | MIT | Yes | Data validation |
| pydantic-settings | >=2.13.1 | MIT | Yes | Settings management |
| websockets | >=15.0.1 | BSD-3-Clause | Yes | WebSocket support |
| sqlalchemy | >=2.0.48 | MIT | Yes | ORM + async DB |
| asyncpg | >=0.31.0 | Apache-2.0 | Yes | PostgreSQL async driver |
| alembic | >=1.18.4 | MIT | Yes | DB migrations |
| psycopg2-binary | >=2.9.10 | LGPL-3.0 | Yes | PostgreSQL driver; LGPL applies only to the library itself, not to application code linking it dynamically |
| slowapi | >=0.1.9 | MIT | Yes | Rate limiting |
| cryptography | >=46.0.5 | Apache-2.0 AND BSD-3-Clause | Yes | Ed25519 / Fernet |
| boto3 | >=1.42.71 | Apache-2.0 | Yes | AWS SDK (S3, CloudWatch) |
| mido | >=1.3.3 | MIT | Yes | MIDI parsing |
| pyyaml | >=6.0.2 | MIT | Yes | YAML parsing |
| mistune | >=3.0.0 | BSD-3-Clause | Yes | Markdown rendering |
| typer | >=0.15.4 | MIT | Yes | CLI framework |
| msgpack | >=1.1 | Apache-2.0 | Yes | Binary serialization |

---

## Notable Notes

### psycopg2-binary (LGPL-3.0)

LGPL-3.0 requires that users be able to replace the LGPL library with a modified version. In a SaaS deployment where we do not distribute binaries to end users, the LGPL dynamic-linking exception effectively means there are no obligations beyond attribution. No action required.

### cryptography (Apache-2.0 + BSD-3-Clause)

The `cryptography` package bundles OpenSSL (Apache-2.0) and its own Python layer (BSD-3-Clause). Both are permissive. No action required.

---

## Transitive Dependencies

Transitive licenses are not audited individually in this document. The key constraints are:

- We have no GPL-2.0-only transitive dependencies (which would require open-sourcing our application code).
- LGPL transitive dependencies are acceptable under the dynamic-linking exception for server-side SaaS.
- All MIT, Apache-2.0, BSD-2/3-Clause transitive dependencies are unrestricted.

Run `pip-licenses --from=mixed --format=markdown` to generate a full transitive audit.

---

## Review Schedule

This audit should be updated whenever a new direct dependency is added or a major version is bumped. Target: quarterly review.

**Next review: 2026-07-05**