{"deps":[{"id":"nextjs","name":"Next.js","version":"15.0.0","license":"MIT","category":"framework","purpose":"App Router web framework for the L5 consoles, sponsor portal, and inspection view.","riskClass":"low","vendor":"Vercel","repoUrl":"https://github.com/vercel/next.js","requiresLicense":false},{"id":"react","name":"React","version":"19.0.0","license":"MIT","category":"framework","purpose":"UI library underlying every page and component in apps/web.","riskClass":"low","vendor":"Meta","repoUrl":"https://github.com/facebook/react","requiresLicense":false},{"id":"react-dom","name":"React DOM","version":"19.0.0","license":"MIT","category":"framework","purpose":"DOM renderer for React on the client and server-side rendering pipeline.","riskClass":"low","vendor":"Meta","repoUrl":"https://github.com/facebook/react","requiresLicense":false},{"id":"typescript","name":"TypeScript","version":"5.6.0","license":"Apache-2.0","category":"language","purpose":"Typed superset of JavaScript — the canonical language for every package in the repo.","riskClass":"low","vendor":"Microsoft","repoUrl":"https://github.com/microsoft/TypeScript","requiresLicense":false},{"id":"nodejs","name":"Node.js","version":"22.0.0","license":"MIT","category":"language","purpose":"JavaScript runtime used for every service, API route, agent, and CLI tool.","riskClass":"low","vendor":"OpenJS Foundation","repoUrl":"https://github.com/nodejs/node","requiresLicense":false},{"id":"pnpm","name":"pnpm","version":"9.0.0","license":"MIT","category":"tooling","purpose":"Workspace-aware package manager used across the Turborepo monorepo.","riskClass":"low","vendor":"pnpm","repoUrl":"https://github.com/pnpm/pnpm","requiresLicense":false},{"id":"turborepo","name":"Turborepo","version":"2.0.0","license":"MPL-2.0","category":"tooling","purpose":"Monorepo task runner with remote caching used for build/lint/test pipelines.","riskClass":"low","vendor":"Vercel","repoUrl":"https://github.com/vercel/turborepo","requiresLicense":false},{"id":"vitest","name":"Vitest","version":"2.0.0","license":"MIT","category":"tooling","purpose":"Unit test runner powering every test in services/, packages/, and apps/web.","riskClass":"low","vendor":"VoidZero","repoUrl":"https://github.com/vitest-dev/vitest","requiresLicense":false},{"id":"biome","name":"Biome","version":"1.9.0","license":"MIT","category":"tooling","purpose":"Linter and formatter for TypeScript, JSON, and React JSX across the monorepo.","riskClass":"low","vendor":"Biome","repoUrl":"https://github.com/biomejs/biome","requiresLicense":false},{"id":"tailwindcss","name":"Tailwind CSS","version":"4.0.0","license":"MIT","category":"framework","purpose":"Utility-first styling for every UI surface in apps/web.","riskClass":"low","vendor":"Tailwind Labs","repoUrl":"https://github.com/tailwindlabs/tailwindcss","requiresLicense":false},{"id":"shadcn-ui","name":"shadcn/ui","version":"0.9.0","license":"MIT","category":"framework","purpose":"Copy-in component primitives used as the UI foundation for consoles and forms.","riskClass":"low","vendor":"shadcn","repoUrl":"https://github.com/shadcn-ui/ui","requiresLicense":false},{"id":"drizzle-orm","name":"Drizzle ORM","version":"0.36.0","license":"Apache-2.0","category":"database","purpose":"Typed query builder and migration toolkit for the cro.* Postgres schema.","riskClass":"low","vendor":"Drizzle Team","repoUrl":"https://github.com/drizzle-team/drizzle-orm","requiresLicense":false},{"id":"supabase-postgres","name":"Supabase Postgres","version":"15.6.0","license":"PostgreSQL","category":"database","purpose":"Primary system of record — hosts the cro.* schema, RLS policies, and pg_cron jobs.","riskClass":"medium","vendor":"Supabase","repoUrl":"https://github.com/supabase/supabase","requiresLicense":false},{"id":"supabase-auth","name":"Supabase Auth","version":"2.158.0","license":"Apache-2.0","category":"auth","purpose":"User authentication with TOTP MFA; underpins the Part 11 re-auth flow before signature.","riskClass":"high","vendor":"Supabase","repoUrl":"https://github.com/supabase/auth","requiresLicense":false},{"id":"supabase-storage","name":"Supabase Storage","version":"1.11.0","license":"Apache-2.0","category":"service","purpose":"Object storage for inspection ZIPs, evidence binders, and TMF essential documents.","riskClass":"medium","vendor":"Supabase","repoUrl":"https://github.com/supabase/storage","requiresLicense":false},{"id":"pgvector","name":"pgvector","version":"0.8.0","license":"PostgreSQL","category":"database","purpose":"Postgres extension powering the vector spine for citation-grounded RAG.","riskClass":"low","vendor":"pgvector","repoUrl":"https://github.com/pgvector/pgvector","requiresLicense":false},{"id":"anthropic-claude-sonnet-4-7","name":"Anthropic Claude Sonnet 4.7","version":"claude-sonnet-4-7","license":"commercial","category":"model","purpose":"Default model for most agents — drafting, classification, summarization, and review.","riskClass":"high","vendor":"Anthropic","repoUrl":"https://docs.anthropic.com","requiresLicense":true},{"id":"anthropic-claude-opus-4-7","name":"Anthropic Claude Opus 4.7","version":"claude-opus-4-7","license":"commercial","category":"model","purpose":"High-stakes model for protocol amendments, narrative authoring, and evaluator calls.","riskClass":"high","vendor":"Anthropic","repoUrl":"https://docs.anthropic.com","requiresLicense":true},{"id":"vercel-cron","name":"Vercel Cron","version":"1.0.0","license":"commercial","category":"service","purpose":"Scheduled HTTPS triggers for agent kicks, daily audits, and digest generation.","riskClass":"medium","vendor":"Vercel","repoUrl":"https://vercel.com/docs/cron-jobs","requiresLicense":true},{"id":"vercel-hosting","name":"Vercel Hosting","version":"1.0.0","license":"commercial","category":"service","purpose":"Edge + serverless hosting for apps/web; auto-deploys every push to main and PR.","riskClass":"medium","vendor":"Vercel","repoUrl":"https://vercel.com/docs","requiresLicense":true},{"id":"github-actions","name":"GitHub Actions","version":"1.0.0","license":"commercial","category":"tooling","purpose":"CI/CD pipeline runner — lint, typecheck, test, build, and auto-merge gates.","riskClass":"medium","vendor":"GitHub","repoUrl":"https://docs.github.com/actions","requiresLicense":true},{"id":"jszip","name":"JSZip","version":"3.10.1","license":"MIT","category":"tooling","purpose":"Pure-JS ZIP builder used to package the inspection evidence binder for download.","riskClass":"low","vendor":"Stuart Knightley","repoUrl":"https://github.com/Stuk/jszip","requiresLicense":false},{"id":"neverthrow","name":"neverthrow","version":"8.0.0","license":"MIT","category":"tooling","purpose":"Typed Result<T, E> for service boundaries — non-throwing error handling.","riskClass":"low","vendor":"Giorgio Polvara","repoUrl":"https://github.com/supermacro/neverthrow","requiresLicense":false},{"id":"meddra","name":"MedDRA","version":"27.0","license":"commercial","category":"service","purpose":"Regulated medical dictionary for adverse event coding; required for safety/PV narratives.","riskClass":"high","vendor":"ICH MSSO","repoUrl":"https://www.meddra.org","requiresLicense":true},{"id":"whodrug","name":"WHODrug Global","version":"B3 2026 Mar 1","license":"commercial","category":"service","purpose":"Regulated drug dictionary for concomitant medication coding in safety and PV workflows.","riskClass":"high","vendor":"Uppsala Monitoring Centre","repoUrl":"https://who-umc.org/whodrug","requiresLicense":true},{"id":"cdisc-ct","name":"CDISC Controlled Terminology","version":"2026-03-28","license":"CC-BY-NC-ND-4.0","category":"service","purpose":"Standardized terminology for SDTM/ADaM datasets and protocol metadata; submission-required.","riskClass":"medium","vendor":"CDISC","repoUrl":"https://www.cdisc.org/standards/terminology","requiresLicense":true},{"id":"promptfoo","name":"promptfoo","version":"0.95.0","license":"MIT","category":"tooling","purpose":"Golden-case evaluation harness for every agent prompt; gates prompt registry bumps.","riskClass":"medium","vendor":"promptfoo","repoUrl":"https://github.com/promptfoo/promptfoo","requiresLicense":false},{"id":"playwright","name":"Playwright (planned)","version":"1.48.0","license":"Apache-2.0","category":"tooling","purpose":"End-to-end browser testing for signature-capturing UI routes. Planned, not yet wired into CI.","riskClass":"low","vendor":"Microsoft","repoUrl":"https://github.com/microsoft/playwright","requiresLicense":false},{"id":"inngest","name":"Inngest (deferred)","version":"n/a","license":"Apache-2.0","category":"service","purpose":"Durable workflow engine. Deferred per ADR 0006 — re-evaluate when multi-step fan-out emerges.","riskClass":"medium","vendor":"Inngest","repoUrl":"https://github.com/inngest/inngest","requiresLicense":false},{"id":"supabase-realtime","name":"Supabase Realtime","version":"2.30.0","license":"Apache-2.0","category":"service","purpose":"WebSocket broadcast of provenance_event inserts to live dashboards (event bus).","riskClass":"medium","vendor":"Supabase","repoUrl":"https://github.com/supabase/realtime","requiresLicense":false}],"summary":{"total":30,"byCategory":{"framework":5,"database":3,"model":2,"tooling":9,"service":8,"language":2,"auth":1,"observability":0},"byLicense":{"MIT":12,"Apache-2.0":7,"MPL-2.0":1,"PostgreSQL":2,"commercial":7,"CC-BY-NC-ND-4.0":1},"byRisk":{"low":16,"medium":9,"high":5},"requiresLicenseCount":8}}