The open-source software that ships inside STF Capital.
The STF Capital application stands on the shoulders of a substantial open-source
ecosystem — a framework, a runtime, dozens of libraries and the tooling
that builds and signs the binary on the way to the Google Play Store. This page
discloses every piece of third-party open-source code that ships to your device,
identifies the licence it is offered under, names the upstream maintainer or
community, and records the obligations STF Capital has voluntarily accepted in
return for the right to use that code.
- Why this page exists
- Methodology
- Licence primer
- Platform & language
- State & navigation
- Backend & networking
- UI libraries
- File handling
- Auth & security
- Firebase services
- Local notifications
- Utilities
- PDF generation
- OTP & QR
- Dev-only tooling
- Full licence texts
- Our compliance commitments
- How to request source
- Contact
1. Why this page exists
Most open-source licences in common use — the MIT Licence, the BSD family and the Apache Licence 2.0 — impose a simple but firm obligation: when you distribute software that incorporates the licensed code, you must preserve the copyright notice, the licence text and any notices file shipped by the upstream author.
Distribution through the Google Play Store counts as distribution for those purposes. STF Capital takes compliance seriously because it is the right thing to do, because Google Play policy increasingly expects it, and because the people who wrote the libraries we rely on deserve visible credit. Section 17 below sets out the voluntary commitments we make in addition to the strict letter of each licence.
2. Methodology
The list below is generated by reading pubspec.yaml and the resolved pubspec.lock, supplemented by the Android Gradle dependency graph for platform-specific libraries pulled in transitively. Only direct dependencies are enumerated; transitive packages inherit the licence category of their direct parent. A full SPDX 2.3 JSON SBOM is available on request (see §18).
3. Licence primer
| Licence family | What it allows | What it requires from us |
|---|---|---|
| MIT | Unrestricted use, modification and distribution, including commercial | Preserve the copyright notice and the licence text |
| BSD-3-Clause | Same as MIT | Preserve copyright, licence, disclaimer; do not use contributor names to endorse |
| Apache-2.0 | Same as MIT, with explicit patent grant | Preserve copyright & licence, reproduce NOTICE, record modifications |
4. Platform & language
| Package | Role | Licence |
|---|---|---|
| Flutter | UI toolkit, rendering engine and Dart runtime | BSD-3-Clause |
| Dart SDK | Language and standard library | BSD-3-Clause |
5. State management & navigation
| Package | Version | Role | Licence |
|---|---|---|---|
provider |
^6.1.1 | Dependency injection / observable state | MIT |
go_router |
^13.0.0 | Declarative navigation helper | BSD-3-Clause |
6. Backend & networking
| Package | Role | Licence |
|---|---|---|
supabase_flutter ^2.3.0 |
Flutter bindings for Supabase (auth, realtime, storage, RPC) | Apache-2.0 |
http ^1.2.0 |
HTTP client for signed URL downloads | BSD-3-Clause |
connectivity_plus ^6.0.3 |
Online/offline signal | BSD-3-Clause |
url_launcher ^6.2.5 |
Launch external URLs and phone links | BSD-3-Clause |
7. User-interface libraries
| Package | Role | Licence |
|---|---|---|
flutter_svg ^2.0.10+1 |
SVG rendering | MIT |
flutter_animate ^4.5.0 |
Motion across splash and dashboard | BSD-3-Clause |
shimmer ^3.0.0 |
Loading skeletons | BSD-3-Clause |
cached_network_image ^3.3.1 |
Image caching | MIT |
fl_chart ^0.67.0 |
Analytics charts | MIT |
8. File handling
| Package | Role | Licence |
|---|---|---|
file_picker ^8.0.3 |
Document selection from device storage | BSD-3-Clause |
image_picker ^1.0.7 |
Camera capture and gallery | BSD-3-Clause |
path_provider ^2.1.2 |
Platform-specific cache paths | BSD-3-Clause |
open_file ^3.3.2 |
Open downloaded files natively | BSD-3-Clause |
9. Authentication & security
| Package | Role | Licence |
|---|---|---|
local_auth ^2.1.8 |
Biometric unlock | BSD-3-Clause |
flutter_secure_storage ^9.0.0 |
Android Keystore-backed storage | BSD-3-Clause |
crypto ^3.0.3 |
PBKDF2-HMAC-SHA256 PIN hashing | BSD-3-Clause |
10. Firebase services
| Package | Role | Licence |
|---|---|---|
firebase_core ^3.12.0 |
Firebase SDK init | BSD-3-Clause |
firebase_messaging ^15.2.0 |
Push notifications | BSD-3-Clause |
Firebase Analytics, Crashlytics, Performance Monitoring and Remote Config are not embedded in the Application.
11. Local notifications
| Package | Role | Licence |
|---|---|---|
flutter_local_notifications ^17.1.2 |
Native system-notification rendering | BSD-3-Clause |
12. Utilities
| Package | Role | Licence |
|---|---|---|
intl ^0.19.0 |
Locale-aware formatting | BSD-3-Clause |
uuid ^4.3.3 |
Correlation IDs | MIT |
shared_preferences ^2.2.2 |
Small non-sensitive key/value | BSD-3-Clause |
13. PDF generation
| Package | Role | Licence |
|---|---|---|
pdf ^3.11.0 |
Compose deal PDFs and analytics exports | Apache-2.0 |
printing ^5.13.0 |
Preview, share and print PDFs | Apache-2.0 |
14. One-time passwords & QR
| Package | Role | Licence |
|---|---|---|
otp ^3.1.4 |
TOTP generation (future 2FA) | MIT |
qr_flutter ^4.1.0 |
QR codes for authenticator enrolment | BSD-3-Clause |
15. Development-only tooling
These packages are used during development and build but do not ship inside the delivered binary:
| Package | Role | Licence |
|---|---|---|
flutter_test |
Unit and widget tests | BSD-3-Clause |
flutter_lints ^3.0.0 |
Static analysis rule set | BSD-3-Clause |
flutter_launcher_icons ^0.13.1 |
Launcher-icon generation | MIT |
16. Full licence texts
Every per-package licence text is reproduced verbatim inside the Application itself, accessible from Profile → Trust & Transparency → Open Source Licences. The three licence family texts below are provided here for convenience.
16.1 MIT Licence
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16.2 BSD 3-Clause Licence
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED.
16.3 Apache Licence 2.0 (summary)
Full text at www.apache.org/licenses/LICENSE-2.0. Operative requirements: retain copyright, disclaimer and licence; reproduce any NOTICE; mark modified files in distributed source; respect the express patent grant.
17. Our licence-compliance commitments
- Publishing this attributions page at a stable URL so users can find it without asking.
- Reproducing full per-package licence text inside the Application via the standard
showLicensePagehelper. - Keeping
pubspec.yaml,pubspec.lockand Androidbuild.gradle.ktsunder version control so any released APK is reproducible. - Accepting written requests for the resolved SBOM at no charge.
- Notifying upstream maintainers of security issues and contributing fixes upstream where we can.
Proprietary code written by STF Capital’s engineering team is not open source; all rights reserved.
18. How to request source
Every dependency is distributed under a permissive licence with source available in its upstream repository. If you require the exact pubspec.lock for a specific release, an SPDX 2.3 SBOM, or patches STF Capital has applied to a third-party library, email inquiries@stfcapital.org with subject “Open Source — Source Request”. We respond within 10 Business Days.
19. Contact the open-source compliance desk
Attn: Engineering Compliance
STF Capital Private Limited
Unit 9, 75 Roberts Drive, Msasa, Harare, Zimbabwe
Email: inquiries@stfcapital.org (subject “Open Source”)