Skip to content

crp.license_guard

Auto-generated reference for the crp.license_guard subpackage.

license_guard

crp.license_guard

License enforcement guard for CRP™ - Context Relay Protocol.

This module implements CODE-LEVEL IP protections that complement the Elastic License 2.0 (ELv2) legal protections. It MUST NOT be removed, modified, or bypassed. Doing so constitutes a violation of the license.

Enforcement levels (graduated): BLOCK - Hard stop (raises CRPError). Managed-service usage without a commercial license is prohibited under ELv2 §2. DEGRADE - Feature degradation. If license headers are tampered with, advanced features (Stage 3+, CKF graph retrieval, continuation) are disabled for the session. WARN - Advisory warning logged and emitted. Informational only.

Protections
  1. Runtime license header verification on core modules
  2. Managed-service usage detection & blocking (§ELv2 Limitation)
  3. Attribution verification (copyright notices must be preserved)
  4. Module integrity fingerprint validation
  5. Output watermarking with license metadata
  6. Violation telemetry (local logging only - no phone-home)
  7. Fork/clone provenance binding - origin verification
  8. Code-signature chain - tamper-evident module registry
  9. Redistribution detection - package metadata binding

verify_license_headers()

Verify that core modules retain their license headers.

Returns a list of modules with missing/modified headers. If any are found, sets _state.tamper_detected = True and triggers feature degradation.

check_managed_service_restriction()

Check if CRP is being deployed as a managed service.

Under the Elastic License 2.0 §2, providing the functionality of CRP to third parties as a managed service is PROHIBITED without a commercial license from the Licensor.

This function BLOCKS (raises CRPError) if managed-service indicators are detected AND no commercial license key is present.

Returns True if managed-service indicators are detected (blocked or licensed).

is_feature_allowed(feature)

Check if a feature is allowed under current enforcement state.

When license headers have been tampered with, advanced features are disabled. This function is called at feature entry points.

Features gated
  • "stage_3": GLiNER extraction
  • "stage_4": UIE relation extraction
  • "stage_5": Discourse extraction
  • "stage_6": LLM-assisted extraction
  • "ckf_graph": CKF graph-aware retrieval
  • "continuation_extended": Continuation beyond 3 windows
  • "cross_encoder": Cross-encoder reranking

watermark_output(output, session_id='')

Embed a license watermark in CRP output.

The watermark is a minimal metadata comment appended to the output. It identifies this output as produced by CRP under the Elastic License 2.0.

Watermarking can be disabled by setting the environment variable CRP_DISABLE_WATERMARK=1 (used by the test suite to assert exact provider outputs).

compute_module_fingerprint(module_name)

Compute SHA-256 fingerprint of a module's source file.

get_module_fingerprints()

Compute fingerprints for all core modules.

verify_package_provenance()

Verify that the installed package matches canonical provenance.

Catches
  • Renamed forks published to PyPI under a different name
  • Vendored copies with altered metadata
  • pip-installed copies with stripped attribution

Returns list of provenance violations (empty = clean).

verify_origin_binding()

Check if the code is running from an authorized origin.

Detects
  • Git remote pointing to a non-canonical repository (fork/clone theft)
  • Missing .git directory (source archive redistribution)
  • Modified origin URL (repo transferred/stolen)

This is ADVISORY - does not block, only logs. Forks for personal study/modification are permitted under ELv2, but redistribution as a managed service is not.

build_integrity_manifest()

Build a tamper-evident manifest of all core CRP modules.

Returns a dict mapping module names to their SHA-256 fingerprints plus a combined chain hash. If any module is modified, the chain hash changes - making it trivially detectable.

verify_integrity_manifest(manifest)

Verify a previously-built integrity manifest against current state.

Returns list of modules whose fingerprints have changed.

verify_guard_integrity()

Verify that this license guard module has not been gutted/stubbed.

Attackers may replace license_guard.py with a stub that passes all checks. This function verifies the module's own source has a minimum complexity threshold (line count > 200, size > 5KB), contains required enforcement function names, and the startup check is wired.

get_license_info()

Return machine-readable license metadata for this installation.