# Governance — bcrypt-langchain-openai-mcp-bb738e

> Fallback governance document generated by GOSCE. In production this is
> regenerated by the C2MD service (https://c2md.getvda.ai) at deploy time (Phase 8).

- **Agent:** `bcrypt-langchain-openai-mcp-bb738e`
- **Combination:** `ai-infrastructure_opt_043` (zone `ai-infrastructure`, system `PYPI`)
- **Public URL:** https://bcrypt-langchain-openai-mcp-bb738e.getvda.ai
- **Version:** 0.1.4
- **Generated:** 2026-05-31T16:14:31+00:00

## Capability declaration

This agent composes the following permissively-licensed packages:

| Package | Capability category |
|---------|---------------------|
| `bcrypt` | crypto |
| `langchain-openai` | orchestration |
| `mcp` | agent-protocol |
| `openai` | llm-client |
| `python-jose` | jwt |


## License chain attestation

Every constituent package passed the GOSCE license filter: only **GREEN**
licenses (MIT / Apache-2.0 / BSD / ISC / Unlicense / 0BSD) enter a combination;
any GPL/AGPL/SSPL/BSL/EUPL component excludes the package. No RED-licensed code
is bundled. (Per-package SPDX identifiers are attached by C2MD in production.)

## Data flow

```
client → https://bcrypt-langchain-openai-mcp-bb738e.getvda.ai/{mcp | a2a}
       → capability dispatch (bcrypt + langchain-openai + mcp + openai + python-jose)
       → response
```

No data is persisted by the scaffold; capability handlers are stateless. Any
package that calls an external API (e.g. an LLM provider) forwards only the
request payload it is given.

## Compliance status

| Item | Status |
|------|--------|
| License compatibility | ✅ all GREEN |
| Governance document | ⚠️ fallback (C2MD pending) |
| Data retention | none (stateless scaffold) |
| Authentication | per deployment (payment wrapper added in Phase 8) |

## Provider

VDA / GOSCE — https://getvda.ai · Portfolio: https://getvda.ai/agents