legal: ship NOTICE + THIRD_PARTY_NOTICES.md (Phase 0 RED-3)

Phase 0 closure (Path B2, post-rewrite, post-LICENSE-flip):

NOTICE — top-level file at repo root, certctl LLC copyright + BSL
1.1 reference + pointer at LICENSE and THIRD_PARTY_NOTICES.md.
Industry-standard format.

THIRD_PARTY_NOTICES.md — full inventory of binary-link dependencies:
  - 60 Go modules from `go list -deps ./...` (excluding stdlib +
    the certctl module itself). License distribution: 28 Apache-2.0,
    15 BSD-2/3-Clause, 14 MIT, 2 MPL-2.0, 1 ISC.
  - 48 npm production transitive deps from walking the
    `web/package.json` dependencies graph (excludes devDependencies
    — Vitest, Playwright, Vite, etc. don't ship in the bundle).
    License distribution: 35 MIT, 11 ISC, 1 BSD-3-Clause, 1
    MIT-AND-ISC.

Test-fixture-only deps (Cisco libest + f5-mock-icontrol) noted at
the end of THIRD_PARTY_NOTICES.md but excluded from the main table
because they don't ship in any distributed release artifact (libest
is a Docker sidecar invoked only by the est-e2e profile;
f5-mock-icontrol rebuilds from source per Phase 1 RED-1 closure).

Generation method documented inline so the file can be regenerated
deterministically when deps change. No tool dependency vendored —
the underlying `go list` + filesystem walk approach works against
any GOMODCACHE + node_modules state.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-3

NOTICE

@@ -0,0 +1,18 @@
+certctl
+Copyright 2026 certctl LLC.
+
+This product is distributed under the Business Source License 1.1.
+See LICENSE at the repository root for the full license text and
+the Additional Use Grant carve-outs.
+
+This product links third-party Go modules and JavaScript packages
+whose own license terms apply to those components. The full
+inventory of third-party dependencies and their respective licenses
+is enumerated in THIRD_PARTY_NOTICES.md at the repository root.
+
+Effective March 14, 2076, the BSL 1.1 license converts to the
+Apache License 2.0 per the Change Date in LICENSE.
+
+For inquiries about commercial licensing terms outside the
+Additional Use Grant — including the Commercial Certificate
+Service restriction — contact certctl@proton.me.

THIRD_PARTY_NOTICES.md

@@ -0,0 +1,161 @@
+# Third-Party Notices
+
+certctl is distributed under the Business Source License 1.1
+(see [LICENSE](LICENSE)). The binaries built from this source link
+third-party Go and JavaScript libraries listed below; certctl LLC
+acknowledges each library's authors and reproduces their copyright
+and license terms here in compliance with each library's license.
+
+Full license text for each library lives in that library's upstream
+repository. The license type is provided per-row; for the canonical
+notice, refer to the upstream source.
+
+- **Last reviewed:** 2026-05-13
+- **Holder:** certctl LLC
+- **License:** BSL 1.1 (Apache 2.0 effective March 14, 2076)
+
+## Go Modules (binary-link dependencies)
+
+Generated by walking `go list -deps ./...` against the certctl
+server, agent, CLI, and MCP-server build paths. Excludes the Go
+standard library and the certctl-io/certctl module itself.
+
+**Count:** see commit; generate via `go list -deps -f '{{if .Module}}{{.Module.Path}} {{.Module.Version}}{{end}}' ./...`
+
+| Module | Version | License |
+|---|---|---|
+| `github.com/Azure/azure-sdk-for-go/sdk/azcore` | v1.20.0 | MIT |
+| `github.com/Azure/azure-sdk-for-go/sdk/azidentity` | v1.13.1 | MIT |
+| `github.com/Azure/azure-sdk-for-go/sdk/internal` | v1.11.2 | MIT |
+| `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates` | v1.4.0 | MIT |
+| `github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal` | v1.2.0 | MIT |
+| `github.com/Azure/go-ntlmssp` | v0.1.1 | MIT |
+| `github.com/AzureAD/microsoft-authentication-library-for-go` | v1.6.0 | MIT |
+| `github.com/ChrisTrenkamp/goxpath` | v0.0.0-20210404020558-97928f7e12b6 | MIT |
+| `github.com/aws/aws-sdk-go-v2` | v1.41.7 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/config` | v1.32.17 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/credentials` | v1.19.16 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/feature/ec2/imds` | v1.18.23 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/internal/configsources` | v1.4.23 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/internal/endpoints/v2` | v2.7.23 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/internal/v4a` | v1.4.24 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/acm` | v1.38.3 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/acmpca` | v1.46.14 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding` | v1.13.9 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/internal/presigned-url` | v1.13.23 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/signin` | v1.0.11 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/sso` | v1.30.17 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/ssooidc` | v1.35.21 | Apache-2.0 |
+| `github.com/aws/aws-sdk-go-v2/service/sts` | v1.42.1 | Apache-2.0 |
+| `github.com/aws/smithy-go` | v1.25.1 | Apache-2.0 |
+| `github.com/bodgit/ntlmssp` | v0.0.0-20240506230425-31973bb52d9b | BSD-2/3-Clause |
+| `github.com/bodgit/windows` | v1.0.1 | BSD-2/3-Clause |
+| `github.com/coreos/go-oidc/v3` | v3.18.0 | Apache-2.0 |
+| `github.com/go-jose/go-jose/v4` | v4.1.4 | Apache-2.0 |
+| `github.com/go-logr/logr` | v1.4.3 | Apache-2.0 |
+| `github.com/gofrs/uuid` | v4.4.0+incompatible | MIT |
+| `github.com/golang-jwt/jwt/v5` | v5.3.0 | MIT |
+| `github.com/google/jsonschema-go` | v0.4.2 | MIT |
+| `github.com/google/uuid` | v1.6.0 | BSD-2/3-Clause |
+| `github.com/hashicorp/go-cleanhttp` | v0.5.2 | MPL-2.0 |
+| `github.com/hashicorp/go-uuid` | v1.0.3 | MPL-2.0 |
+| `github.com/jcmturner/aescts/v2` | v2.0.0 | Apache-2.0 |
+| `github.com/jcmturner/dnsutils/v2` | v2.0.0 | Apache-2.0 |
+| `github.com/jcmturner/gofork` | v1.7.6 | BSD-2/3-Clause |
+| `github.com/jcmturner/goidentity/v6` | v6.0.1 | Apache-2.0 |
+| `github.com/jcmturner/gokrb5/v8` | v8.4.4 | Apache-2.0 |
+| `github.com/jcmturner/rpc/v2` | v2.0.3 | Apache-2.0 |
+| `github.com/kr/fs` | v0.1.0 | BSD-2/3-Clause |
+| `github.com/kylelemons/godebug` | v1.1.0 | Apache-2.0 |
+| `github.com/lib/pq` | v1.10.9 | MIT |
+| `github.com/masterzen/simplexml` | v0.0.0-20190410153822-31eea3082786 | Apache-2.0 |
+| `github.com/masterzen/winrm` | v0.0.0-20250927112105-5f8e6c707321 | Apache-2.0 |
+| `github.com/modelcontextprotocol/go-sdk` | v1.4.1 | Apache-2.0 |
+| `github.com/pkg/browser` | v0.0.0-20240102092130-5ac0b6a4141c | BSD-2/3-Clause |
+| `github.com/pkg/sftp` | v1.13.10 | BSD-2/3-Clause |
+| `github.com/segmentio/asm` | v1.1.3 | MIT |
+| `github.com/segmentio/encoding` | v0.5.4 | MIT |
+| `github.com/tidwall/transform` | v0.0.0-20201103190739-32f242e2dbde | ISC |
+| `github.com/yosida95/uritemplate/v3` | v3.0.2 | BSD-2/3-Clause |
+| `golang.org/x/crypto` | v0.50.0 | BSD-2/3-Clause |
+| `golang.org/x/net` | v0.53.0 | BSD-2/3-Clause |
+| `golang.org/x/oauth2` | v0.36.0 | BSD-2/3-Clause |
+| `golang.org/x/sync` | v0.20.0 | BSD-2/3-Clause |
+| `golang.org/x/sys` | v0.43.0 | BSD-2/3-Clause |
+| `golang.org/x/text` | v0.36.0 | BSD-2/3-Clause |
+| `software.sslmate.com/src/go-pkcs12` | v0.7.0 | BSD-2/3-Clause |
+
+## JavaScript Packages (production transitive closure)
+
+Generated by walking the `dependencies` graph from `web/package.json`
+through `node_modules/`. Excludes devDependencies (Vitest, Playwright,
+Vite, etc.) since they don't ship in the distributed frontend bundle.
+
+| Package | Version | License |
+|---|---|---|
+| `@reduxjs/toolkit` | 2.11.2 | MIT |
+| `@remix-run/router` | 1.23.2 | MIT |
+| `@standard-schema/spec` | 1.1.0 | MIT |
+| `@standard-schema/utils` | 0.3.0 | MIT |
+| `@tanstack/query-core` | 5.90.20 | MIT |
+| `@tanstack/react-query` | 5.90.21 | MIT |
+| `@types/d3-array` | 3.2.2 | MIT |
+| `@types/d3-color` | 3.1.3 | MIT |
+| `@types/d3-ease` | 3.0.2 | MIT |
+| `@types/d3-interpolate` | 3.0.4 | MIT |
+| `@types/d3-path` | 3.1.1 | MIT |
+| `@types/d3-scale` | 4.0.9 | MIT |
+| `@types/d3-shape` | 3.1.8 | MIT |
+| `@types/d3-time` | 3.0.4 | MIT |
+| `@types/d3-timer` | 3.0.2 | MIT |
+| `@types/use-sync-external-store` | 0.0.6 | MIT |
+| `clsx` | 2.1.1 | MIT |
+| `d3-array` | 3.2.4 | ISC |
+| `d3-color` | 3.1.0 | ISC |
+| `d3-ease` | 3.0.1 | BSD-3-Clause |
+| `d3-format` | 3.1.2 | ISC |
+| `d3-interpolate` | 3.0.1 | ISC |
+| `d3-path` | 3.1.0 | ISC |
+| `d3-scale` | 4.0.2 | ISC |
+| `d3-shape` | 3.2.0 | ISC |
+| `d3-time` | 3.1.0 | ISC |
+| `d3-time-format` | 4.1.0 | ISC |
+| `d3-timer` | 3.0.1 | ISC |
+| `decimal.js-light` | 2.5.1 | MIT |
+| `es-toolkit` | 1.45.1 | MIT |
+| `eventemitter3` | 5.0.4 | MIT |
+| `immer` | 10.2.0 | MIT |
+| `internmap` | 2.0.3 | ISC |
+| `js-tokens` | 4.0.0 | MIT |
+| `loose-envify` | 1.4.0 | MIT |
+| `react` | 18.3.1 | MIT |
+| `react-dom` | 18.3.1 | MIT |
+| `react-redux` | 9.2.0 | MIT |
+| `react-router` | 6.30.3 | MIT |
+| `react-router-dom` | 6.30.3 | MIT |
+| `recharts` | 3.8.0 | MIT |
+| `redux` | 5.0.1 | MIT |
+| `redux-thunk` | 3.1.0 | MIT |
+| `reselect` | 5.1.1 | MIT |
+| `scheduler` | 0.23.2 | MIT |
+| `tiny-invariant` | 1.3.3 | MIT |
+| `use-sync-external-store` | 1.6.0 | MIT |
+| `victory-vendor` | 37.3.6 | MIT AND ISC |
+
+## Test-fixture-only dependencies
+
+**Cisco libest.** The certctl integration test suite exercises the EST
+(RFC 7030) endpoints against Cisco's libest reference client. libest
+runs as a sidecar container (`certctl-test-libest`) only when the
+`est-e2e` Docker Compose profile is active — it is **not** vendored
+into the certctl source tree and **not** linked into any distributed
+release artifact (server, agent, CLI, MCP-server, container images,
+or release tarballs). For libest's own license terms, see
+<https://github.com/cisco/libest>.
+
+**f5-mock-icontrol.** The F5 deployment-target integration test
+ships a small Go program at `deploy/test/f5-mock-icontrol/main.go`
+under the same BSL 1.1 license as the rest of certctl. The compiled
+ELF was removed from the tracked tree in Phase 1 closure (commit
+eda3b48, 2026-05-13); it now rebuilds via the Dockerfile's
+multi-stage build on demand.