Third-party software & licenses
In Falcone itself is MIT-licensed (see LICENSE). It builds on the third-party software below. Components marked ⚠ are copyleft or source-available (not OSI open source) — see License compatibility.
Licenses were verified from each package's own metadata / repository, not from memory. For the complete dependency tree (beyond the principal components listed here) see Completeness & SBOM.
Platform & infrastructure
Deployed as separate services / container images that In Falcone talks to over the network.
| Component | Role in In Falcone | License (SPDX) | Link |
|---|---|---|---|
| PostgreSQL 16 (+ pgvector) | Primary tenant datastore; RLS + schema-per-tenant isolation; pgvector for vector search | PostgreSQL | postgresql.org · pgvector |
| MongoDB Server 7 | Per-tenant/workspace document data API | ⚠ SSPL-1.0 | mongodb.com |
| Redpanda 24.2 | Kafka-compatible event bus / CDC streaming | ⚠ BSL-1.1 (Redpanda) + RCL | licenses |
| MinIO | S3-compatible object storage | ⚠ AGPL-3.0 | LICENSE |
| HashiCorp Vault 1.18 | Secrets management | ⚠ BUSL-1.1 | LICENSE |
| Keycloak 26 | Realm-per-tenant IAM / OIDC | Apache-2.0 | keycloak |
| Apache APISIX 3.9 | API gateway (public /v1 surface) | Apache-2.0 | apisix |
| Temporal (server 1.25 + TypeScript SDK 1.18) | Durable workflow engine behind Flows | MIT | temporal · sdk-typescript |
| Knative Serving + Kourier | Serverless functions runtime | Apache-2.0 | serving · net-kourier |
| Apache OpenWhisk | Legacy / optional functions engine | Apache-2.0 | openwhisk |
| Kubernetes + Helm | Deployment & orchestration | Apache-2.0 | kubernetes · helm |
| Node.js 22 | Service runtime | MIT | nodejs |
| nginx | Static serving of the web-console image | BSD-2-Clause | nginx.org |
Application frameworks & libraries (npm)
| Component | Role in In Falcone | License (SPDX) | Link |
|---|---|---|---|
| React 18 | Web console UI | MIT | react |
| Vite | Console build & dev server | MIT | vite |
| TypeScript | Typed source (console, workflow worker) | Apache-2.0 | TypeScript |
| Tailwind CSS | Console styling | MIT | tailwindcss |
React Flow (@xyflow/react) | Visual Flows designer canvas | MIT | xyflow |
Monaco Editor (+ monaco-yaml) | In-console code / YAML editing | MIT | monaco-editor |
node-postgres (pg) | PostgreSQL client | MIT | node-postgres |
MongoDB Node Driver (mongodb) | MongoDB client | Apache-2.0 | node-mongodb-native |
| KafkaJS | Kafka / Redpanda client | MIT | kafkajs |
AWS SDK for JS v3 (@aws-sdk/client-s3) | S3 / MinIO client | Apache-2.0 | aws-sdk-js-v3 |
| jose + jwks-rsa | JWT / JWKS validation | MIT | jose · node-jwks-rsa |
| ws | WebSocket realtime gateway | MIT | ws |
| Ajv | JSON Schema validation | MIT | ajv |
| cel-js | Capability / policy expression evaluation | MIT | cel-js |
| Playwright | Real-stack E2E tests | Apache-2.0 | playwright |
License compatibility
Review before any hosted or commercial offering
In Falcone's own code is MIT, which is compatible with consuming all the permissive components above (MIT, Apache-2.0, ISC, BSD, PostgreSQL). The ⚠ components are not OSI open source and deserve review:
- MongoDB (
SSPL-1.0), MinIO (AGPL-3.0), Redpanda (BSL-1.1+RCL) and Vault (BUSL-1.1) are copyleft or source-available. - Running them as separate backing services In Falcone talks to over the network does not, by itself, impose their license on In Falcone's MIT code (no linking / derivative work). But their "offer-as-a-service" / "competitive service" clauses are directly relevant to a multi-tenant BaaS that re-exposes their functionality to tenants — a Mongo data API, a Kafka/events API, an S3 storage API. In particular, SSPL §13 and AGPL §13 target offering the software's functionality as a service, and the Redpanda / Vault BSL grants exclude competing managed offerings. Review these terms before any hosted or commercial offering. All four are swappable at the deployment layer if their terms don't fit your use.
This is engineering guidance, not legal advice — have counsel review before distribution.
Completeness & SBOM
This page lists the principal third-party components, not the full transitive dependency tree (minor utilities — undici, clsx, lucide-react, uuid, cron-parser, js-yaml, etc. — are omitted). For the complete picture, generate a license report from the monorepo:
pnpm sbom:licenses # human-readable table of every dependency's license
pnpm sbom:licenses:json # machine-readable JSON, keyed by SPDX identifierCI also produces this report on every run — the third-party-license-report artifact of the security job in .github/workflows/ci.yml. If Python or Go components are added later, complement it with pip-licenses and go-licenses respectively, and review the output before distribution.