crp.license_guard¶
Auto-generated reference for the crp.license_guard subpackage.
license_guard¶
crp.license_guard ¶
License enforcement guard for CRP™ - Context Relay Protocol.
This module implements CODE-LEVEL IP protections that complement the Elastic License 2.0 (ELv2) legal protections. It MUST NOT be removed, modified, or bypassed. Doing so constitutes a violation of the license.
Enforcement levels (graduated): BLOCK - Hard stop (raises CRPError). Managed-service usage without a commercial license is prohibited under ELv2 §2. DEGRADE - Feature degradation. If license headers are tampered with, advanced features (Stage 3+, CKF graph retrieval, continuation) are disabled for the session. WARN - Advisory warning logged and emitted. Informational only.
Protections
- Runtime license header verification on core modules
- Managed-service usage detection & blocking (§ELv2 Limitation)
- Attribution verification (copyright notices must be preserved)
- Module integrity fingerprint validation
- Output watermarking with license metadata
- Violation telemetry (local logging only - no phone-home)
- Fork/clone provenance binding - origin verification
- Code-signature chain - tamper-evident module registry
- Redistribution detection - package metadata binding
verify_license_headers() ¶
Verify that core modules retain their license headers.
Returns a list of modules with missing/modified headers. If any are found, sets _state.tamper_detected = True and triggers feature degradation.
check_managed_service_restriction() ¶
Check if CRP is being deployed as a managed service.
Under the Elastic License 2.0 §2, providing the functionality of CRP to third parties as a managed service is PROHIBITED without a commercial license from the Licensor.
This function BLOCKS (raises CRPError) if managed-service indicators are detected AND no commercial license key is present.
Returns True if managed-service indicators are detected (blocked or licensed).
is_feature_allowed(feature) ¶
Check if a feature is allowed under current enforcement state.
When license headers have been tampered with, advanced features are disabled. This function is called at feature entry points.
Features gated
- "stage_3": GLiNER extraction
- "stage_4": UIE relation extraction
- "stage_5": Discourse extraction
- "stage_6": LLM-assisted extraction
- "ckf_graph": CKF graph-aware retrieval
- "continuation_extended": Continuation beyond 3 windows
- "cross_encoder": Cross-encoder reranking
watermark_output(output, session_id='') ¶
Embed a license watermark in CRP output.
The watermark is a minimal metadata comment appended to the output. It identifies this output as produced by CRP under the Elastic License 2.0.
Watermarking can be disabled by setting the environment variable CRP_DISABLE_WATERMARK=1 (used by the test suite to assert exact provider outputs).
compute_module_fingerprint(module_name) ¶
Compute SHA-256 fingerprint of a module's source file.
get_module_fingerprints() ¶
Compute fingerprints for all core modules.
verify_package_provenance() ¶
Verify that the installed package matches canonical provenance.
Catches
- Renamed forks published to PyPI under a different name
- Vendored copies with altered metadata
- pip-installed copies with stripped attribution
Returns list of provenance violations (empty = clean).
verify_origin_binding() ¶
Check if the code is running from an authorized origin.
Detects
- Git remote pointing to a non-canonical repository (fork/clone theft)
- Missing .git directory (source archive redistribution)
- Modified origin URL (repo transferred/stolen)
This is ADVISORY - does not block, only logs. Forks for personal study/modification are permitted under ELv2, but redistribution as a managed service is not.
build_integrity_manifest() ¶
Build a tamper-evident manifest of all core CRP modules.
Returns a dict mapping module names to their SHA-256 fingerprints plus a combined chain hash. If any module is modified, the chain hash changes - making it trivially detectable.
verify_integrity_manifest(manifest) ¶
Verify a previously-built integrity manifest against current state.
Returns list of modules whose fingerprints have changed.
verify_guard_integrity() ¶
Verify that this license guard module has not been gutted/stubbed.
Attackers may replace license_guard.py with a stub that passes all checks. This function verifies the module's own source has a minimum complexity threshold (line count > 200, size > 5KB), contains required enforcement function names, and the startup check is wired.
get_license_info() ¶
Return machine-readable license metadata for this installation.