NOTICE

Wardex Foundry
Copyright 2026-present Wardex Foundry Contributors

This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).

-------------------------------------------------------------------------------
THIRD-PARTY COMPONENTS

This inventory provides traceability for all components bundled or orchestrated by this lab, in compliance with the Cyber Resilience Act (CRA) and DORA requirements for ICT supply chain visibility.

1. HashiCorp Vault
   License: Business Source License (BSL) 1.1 / Mozilla Public License (MPL) 2.0 (pre-1.15)
   Source: https://github.com/hashicorp/vault
   Audit command: `docker exec vault vault version`
   Regulatory Note: Used in a non-competitive lab context; compliant with BSL 1.1 terms.

2. Prometheus
   License: Apache License 2.0
   Source: https://github.com/prometheus/prometheus
   Audit command: `docker exec prometheus prometheus --version`

3. Grafana
   License: GNU Affero General Public License v3.0 (AGPLv3)
   Source: https://github.com/grafana/grafana
   Audit command: `docker exec grafana grafana-cli --version`
   Regulatory Note: Orchestrated over network; no AGPL contamination of lab source code.

4. Bitnami Kafka
   License: Apache License 2.0
   Source: https://github.com/bitnami/containers/tree/main/bitnami/kafka
   Audit command: `docker exec kafka kafka-topics.sh --version`

5. Vexil
   License: Apache License 2.0
   Source: https://github.com/had-nu/vexil
   Audit command: `vexil --version`
   Regulatory Note: Lightweight secrets scanner used via subprocess.

6. Trivy (Aqua Security)
   License: Apache License 2.0
   Source: https://github.com/aquasecurity/trivy
   Audit command: `trivy --version`
   Regulatory Note: Optional vulnerability scanner.

-------------------------------------------------------------------------------
SBOM GENERATION
To generate a complete Software Bill of Materials (SBOM) for the Go backend:
`syft packages dir:. -o spdx-json > wardex-foundry-sbom.json`