Executive summary
Northlight Systems is a structurally sound acquisition target, scoring above the cohort median in four of five risk categories. The exception is license compliance: one copyleft dependency in a revenue-bearing service (LIC-02) drags the category below median and is the first remediation priority. The other material risks concentrate in IP chain of title (three contributors without assignments) and knowledge concentration (bus factor of 2 on the pricing engine). None rise to deal-blocker level; all are remediable within one quarter at the stated band.
The billing service links an AGPL-3.0 library in production. Under the current distribution model this creates a source-disclosure obligation on a revenue-bearing component. A MIT-licensed replacement exists; the seller has scheduled the swap.
Cross-checking the contributor list from git history against the executed agreements in the room leaves three early-stage contributors (2019–2020, 4.1% of surviving lines) with no assignment on file.
Two engineers account for 91% of commits to the pricing engine over 24 months. Documented runbooks partially mitigate; retention terms for both are advised.