# Third-Party Notices ChipVerify AI distributes the following open-source software inside its container images and frontend bundles. Each component is governed by its own licence; nothing in the ChipVerify proprietary licence (see LICENSE) restricts the rights granted by these upstream licences. For GPL/LGPL components, source code is available from the upstream project linked below. As an alternative written offer for the corresponding source of GPL components shipped in any ChipVerify distribution (valid for 3 years from the date of distribution per GPLv2 §3(b)), open a public issue at and we will publish a tarball link within 30 days. (We do not accept inbound email; the GitHub issue is the canonical channel for this request and stays publicly archived as legal evidence of the offer.) ## EDA toolchain (backend container) The list below mirrors the toolchain installed by `backend/Dockerfile`. ### Icarus Verilog (iverilog) - Upstream: https://github.com/steveicarus/iverilog - Licence: GNU General Public License v2.0 or later - Used as: external CLI for Verilog compilation and simulation - Source: https://github.com/steveicarus/iverilog (tagged release matching the apt version installed via `apt-get install iverilog`) ### Verilator - Upstream: https://github.com/verilator/verilator - Licence: LGPL-3.0-or-later OR Artistic-2.0 (dual-licensed) - Used as: external CLI for high-performance Verilog simulation - Source: https://github.com/verilator/verilator (tagged release matching the apt version installed via `apt-get install verilator`) ### Yosys - Upstream: https://github.com/YosysHQ/yosys - Licence: ISC - Used as: external CLI for synthesis, lint, and netlist JSON generation - Source: https://github.com/YosysHQ/yosys (tagged release matching the apt version installed via `apt-get install yosys`) ### SymbiYosys (sby) - Upstream: https://github.com/YosysHQ/sby - Licence: ISC - Used as: external CLI driver for the formal verification flow over Yosys - Source: cloned from `main` at image-build time per `backend/Dockerfile` `SBY_REF` build-arg ### Z3 - Upstream: https://github.com/Z3Prover/z3 - Licence: MIT - Used as: SMT solver backing the SymbiYosys formal flow - Source: https://github.com/Z3Prover/z3 (tagged release matching the apt version installed via `apt-get install z3`) ### EQY and the oss-cad-suite bundle - Upstream: https://github.com/YosysHQ/oss-cad-suite-build - Licence: mixed — the bundle aggregates multiple upstream projects under their own licences (ISC, GPL-2.0-or-later, LGPL-3.0-or-later, MIT, Apache-2.0, BSD-3-Clause); the per-component manifest ships at `/opt/oss-cad-suite/manifest.txt` inside the container - Used as: pinned bundle providing the `eqy` (equivalence checker) wrapper; only the `eqy` entrypoint is exposed via `/usr/local/bin/eqy` - Source: the dated release tarball (`oss-cad-suite-linux-x64-.tgz`) published at https://github.com/YosysHQ/oss-cad-suite-build/releases, plus each constituent project's upstream as listed in the bundle manifest ### Verible - Upstream: https://github.com/chipsalliance/verible - Licence: Apache-2.0 - Used as: external CLIs `verible-verilog-lint` and `verible-verilog-format` for SystemVerilog lint and formatting - Source: https://github.com/chipsalliance/verible (release tag matching `VERIBLE_VERSION` in `backend/Dockerfile`) ### netlistsvg - Upstream: https://github.com/nturley/netlistsvg - Licence: MIT - Used as: external Node CLI rendering Yosys JSON to SVG schematic diagrams - Source: https://github.com/nturley/netlistsvg (release matching `NETLISTSVG_VERSION` in `backend/Dockerfile`; also fetchable via `npm pack netlistsvg@`) ### pyslang / Slang - Upstream: https://github.com/MikePopoloski/slang (C++ core), https://github.com/MikePopoloski/pyslang (Python bindings) - Licence: MIT - Used as: Python-imported SystemVerilog parser for static analysis (installed via `backend/requirements.txt`) - Source: https://github.com/MikePopoloski/pyslang (release matching the version pinned in `backend/requirements.txt`) ## Python libraries (backend) Every package in `backend/requirements.txt` is permissively licensed (MIT / Apache-2.0 / BSD / PSF). Notable: FastAPI, SQLAlchemy, Pydantic, pydantic-settings, Alembic, Uvicorn, httpx, RQ, Redis client, psycopg, Anthropic SDK, ReportLab, bcrypt, Hypothesis, PyYAML, defusedxml — all MIT, BSD, or Apache-2.0 (ReportLab is BSD-3-Clause; bcrypt is Apache-2.0). Run `pip-licenses --format=json --output-file=python-deps.json` inside the backend image for the machine-readable manifest. ## JavaScript libraries (frontend bundle) Every package in `frontend/package-lock.json` is permissively licensed (MIT / ISC / Apache-2.0 / BSD with one CC-BY-4.0 typeface). Notable: React + ReactDOM (MIT), Vite (MIT), TailwindCSS (MIT), Lucide icons (ISC), React Router (MIT). Run `npx license-checker --production --json` from `frontend/` for the machine-readable manifest. ## Carve-out The ChipVerify AI proprietary licence (LICENSE) governs only ChipVerify-authored code. Recipients of GPL-licensed binary components in our distribution receive the rights granted under those upstream licences (including reverse-engineering and source-access rights), notwithstanding any clause in LICENSE that may read to the contrary. ## Coupling posture & ChipVerify-owned IP All GPL/LGPL engines above are invoked as **separate subprocesses** (mere aggregation per the FSF GPL FAQ); ChipVerify does not link any GPL library nor use a GPL in-process API (e.g. KLayout's Python/Ruby API), and tool *output* is not GPL-covered. The deterministic analysis, generation, scoring, and evidence layers are ChipVerify's own IP, depending only on permissive components (pyslang/MIT, Python, Rust std): the CDC/RDC engine + structural 2-FF topology, the combinational-loop detector, advanced lint + confidence, the functional-coverage instrumentation + closure, design-structure analysis, the IP generators, the SoC assembler + Visual APB Builder, the evidence pack / verification score / signed certificate / IP-provenance, and the dependency-free `chipverify-core/` Rust library. See `PROPRIETARY_CORE_PLAN.md` for the phased plan to migrate the deterministic core into owned Rust.