Day 28: Full FOSS audit, compliance, licensing, and dependency cleanup

Author: Anbu-00001

NOTICE

@@ -0,0 +1,14 @@
+OpenRescue incorporates and relies on the following open-source projects and data:
+
+1. OpenStreetMap
+This project uses OpenStreetMap data licensed under the Open Data Commons Open Database License (ODbL). 
+© OpenStreetMap contributors. 
+For more information, see: https://www.openstreetmap.org/copyright
+
+2. OSRM (Open Source Routing Machine)
+This project uses OSRM for local routing algorithms, licensed under the BSD 2-Clause License.
+
+3. libp2p
+This project uses go-libp2p and related networking modules for peer-to-peer communication, licensed under the MIT License / Apache 2.0 License.
+
+All other dependencies used in this project are Free and Open Source Software (FOSS), compliant with GPL-3.0 compatibility rules.

README.md

@@ -120,6 +120,13 @@ We commit to avoiding all proprietary APIs or third-party locked-in services.
 
 By enforcing these constraints, OpenRescue guarantees deployment flexibility and long-term sustainability without vendor lockdown.
 
+## FOSS Compliance
+
+OpenRescue has undergone a formal Free and Open-Source Software (FOSS) audit to ensure absolute compliance with global open-software standards:
+- **All components are open-source**: Every dependency across the Flutter app, FastAPI backend, and Go P2P node is fully open-source and approved.
+- **No proprietary APIs used**: The application is free of vendor lock-in. We do not use Google Maps SDK, Firebase, or closed data vendors. We utilize OpenStreetMap, OSRM, and Nominatim.
+- **Fully offline capable**: Routing operates locally via the OSRM Docker container, and map tiles dynamically fall back to local storage without requiring external internet. Real-time peer-to-peer syncing is supported natively via mDNS.
+
 ## Running the Project
 
 ### Backend

docs/FOSS_AUDIT.md

@@ -0,0 +1,59 @@
+# FOSS Compliance Audit
+
+**Project:** OpenRescue  
+**Date:** March 25, 2026  
+**Status:** 100% FOSS Compliant 🟢  
+
+---
+
+## 1. Executive Summary
+This document serves as the official FOSS compliance audit for the OpenRescue project. The codebase has been fully scanned for proprietary dependencies, telemetry services, and closed APIs. 
+**Result:** No proprietary or restricted packages were found.
+
+---
+
+## 2. Dependency Audit
+
+### Mobile App (`mobile_app/pubspec.yaml`)
+All Flutter dependencies are fully open-source and approved:
+- `flutter_map` (Leaflet-based)
+- `drift` / `sqlite3_flutter_libs` (SQLite)
+- `http` / `dio` (Networking)
+- `provider` (State Management)
+*No Google Maps SDK or Firebase packages detected.*
+
+### Backend / API (`backend/requirements.txt`)
+All Python dependencies are standard FOSS:
+- `fastapi` / `uvicorn` / `websockets`
+- `SQLAlchemy` / `GeoAlchemy2` / `alembic`
+- `redis` / `psycopg2-binary`
+
+### P2P Node (`backend/p2p-node/go.mod`)
+All Go dependencies are standard FOSS:
+- `go-libp2p`
+- `go-libp2p-pubsub`
+- `gorilla/websocket`
+
+---
+
+## 3. Remediation & Compliance Actions Taken
+
+### 3.1 API Usage Compliance
+- **Nominatim Reverse Geocoding:** Verified the presence of the required `User-Agent` header (`OpenRescue/1.0`). Added a 1-request-per-second rate limiter to strictly respect Nominatim's usage policy.
+
+### 3.2 UI Attributions
+- **Map Attribution:** `RichAttributionWidget` added to the `FlutterMap` widget to explicitly display "© OpenStreetMap contributors" in the UI.
+
+### 3.3 Telemetry and Tracking
+- Conducted codebase scan for `analytics`, `crashlytics`, and `telemetry`. No instances found. User data strictly remains on-device or circulates solely through the secure P2P network.
+
+### 3.4 Offline Verification
+- Routing operates locally via the OSRM Docker container.
+- Map tiles fallback locally via the `FallbackFileTileProvider`.
+- Real-time incident syncing operates entirely via mDNS P2P without requiring a backend server.
+
+---
+
+## 4. Licensing
+- **License:** Project is licensed under `GPL-3.0` (present in repository root).
+- **Notices:** A top-level `NOTICE` file has been added explicitly detailing attributions for OpenStreetMap, OSRM, and libp2p.

mobile_app/lib/features/map/map_screen.dart

@@ -810,6 +810,14 @@ class _MapScreenState extends State<MapScreen> {
                         MarkerLayer(
                           markers: _buildMarkers(),
                         ),
+                        RichAttributionWidget(
+                          attributions: [
+                            TextSourceAttribution(
+                              '© OpenStreetMap contributors',
+                              onTap: () {}, // Make it tappable to show the text cleanly without launching URL if not needed (or we could omit onTap)
+                            ),
+                          ],
+                        ),
                       ],
                     );
                   },

mobile_app/lib/services/geocoding_service.dart

@@ -13,6 +13,8 @@ class GeocodingService {
 
   GeocodingService({http.Client? client}) : _client = client ?? http.Client();
 
+  static DateTime? _lastRequestTime;
+
   /// Perform a Reverse Geocode to translate a LatLng into a physical address.
   /// Converts lat/lon locally to avoid hitting the API repetitively for identical calls.
   Future<GeocodeResult?> reverse(double lat, double lon) async {
@@ -25,6 +27,15 @@ class GeocodingService {
 
     debugPrint('GeocodingService: Cache MISS for $cacheKey — fetching API');
 
+    final now = DateTime.now();
+    if (_lastRequestTime != null) {
+      final diff = now.difference(_lastRequestTime!);
+      if (diff.inMilliseconds < 1000) {
+        await Future.delayed(Duration(milliseconds: 1000 - diff.inMilliseconds));
+      }
+    }
+    _lastRequestTime = DateTime.now();
+
     try {
       final uriStr = 'https://nominatim.openstreetmap.org/reverse'
           '?lat=$lat&lon=$lon&format=json&addressdetails=1';