@feedclip/sdk 0.1.0

package/COMMERCIAL-LICENSE.md

@@ -0,0 +1,32 @@
+# FeedClip Paid Commercial License
+
+The `@feedclip/sdk` core SDK remains available under the MIT license. This
+commercial license applies only to the implemented FeedClip Paid feature
+gates. It does not restrict rights granted by the MIT license for core
+repository files.
+
+## Paid Features
+
+The currently sold Paid version enables:
+
+- removal of FeedClip branding;
+- thumbnails, trimming, and upload progress;
+- Supabase and S3 uploader helpers;
+
+Screen recording, diagnostics, privacy redaction, resumable uploads, managed
+storage, hosted AI, issue integrations, dashboards, SSO, RBAC, audit logs, data
+residency, and SLA products are roadmap items and are not included in the
+current purchase.
+
+Official Paid capabilities require a valid project-bound FeedClip license
+token. Tokens are signed by the FeedClip licensing service and may not be
+shared between projects or customers.
+
+## Pricing
+
+The current Indie license is a one-time USD 49 purchase valid for one year. It
+does not renew automatically and does not include third-party storage or AI
+provider usage.
+
+Unauthorized activation of the implemented FeedClip Paid feature gates is
+prohibited.

package/COMPLIANCE.md

@@ -0,0 +1,110 @@
+# FeedClip Compliance Guide
+
+This document describes product controls and deployment responsibilities. It
+is not legal advice or a certification of compliance.
+
+## Data inventory
+
+Depending on configuration, FeedClip processes:
+
+- video and voice supplied by the user;
+- an optional screenshot and written description;
+- page origin and path, title, user agent, locale, viewport, and timezone;
+- optional query strings and referrer when explicitly enabled;
+- application-defined custom context;
+- generated transcript, summary, labels, sentiment, and priority;
+- operational identifiers, timestamps, request IP data in rate-limit memory,
+  and server logs.
+
+Video, voice, screenshots, URLs, identifiers, and free-form text can contain
+personal data or sensitive data. Do not send passwords, payment card data,
+authentication tokens, health data, biometric identification data, or other
+regulated data without a reviewed use case and appropriate controls.
+
+## Roles and lawful basis
+
+For a self-hosted deployment, the integrating organization normally determines
+the purpose and means of processing and is the controller. Infrastructure and
+AI providers may act as processors or subprocessors under their contracts.
+
+The integrating organization must select and document an applicable lawful
+basis. Do not treat browser camera or microphone permission as privacy consent.
+When consent is used, it must be informed, specific, demonstrable, and
+withdrawable. Use `privacyNotice` to link the widget to the product's notice.
+
+## Data minimization
+
+- Query strings, URL fragments, credentials, and referrers are excluded by
+  default.
+- Keep `includeQueryString` and `includeReferrer` disabled unless necessary.
+- Allowlist fields returned by `getContext`; do not pass whole user or session
+  objects.
+- Avoid recording unrelated applications, people, notifications, or secrets.
+- Redact sensitive screenshot and video regions before upload where required.
+
+## Retention and deletion
+
+The reference API defaults to a 30-day retention period through
+`FEEDCLIP_RETENTION_DAYS`. It deletes expired local records at startup and every
+24 hours. `DELETE /v1/submissions/:feedbackId` removes one API record.
+
+The IndexedDB adapter exposes `delete(feedbackId)` and `clear()`. The
+integrating product must also apply deletion to backups, object storage, logs,
+analytics, queues, generated issues, and every downstream processor.
+
+## Data subject requests
+
+Maintain an authenticated workflow to:
+
+- locate records using an internal mapping between the user and feedback ID;
+- export the original submission and generated analysis;
+- correct associated metadata where applicable;
+- delete the record and downstream copies;
+- record request receipt and completion deadlines.
+
+Do not expose the project key or allow a feedback ID alone to authorize access.
+
+## AI processing and international transfers
+
+Transcription and analysis send the recording and feedback context to the
+configured AI provider. Before enabling AI:
+
+- list the provider in the privacy notice and subprocessor register;
+- execute the required DPA and transfer mechanism;
+- review provider retention, abuse monitoring, and data residency settings;
+- disable optional provider data sharing;
+- confirm that submitted data is permitted by the provider agreement.
+
+## Accessibility
+
+The widget includes labeled controls, alert semantics, live recording status,
+and progressbar semantics. The integrating product should test the complete
+flow against WCAG 2.2 AA with keyboard-only use and screen readers.
+
+Recorded media containing speech may require transcripts or captions when it
+is later presented as content. Generated transcripts should be reviewable
+because automated transcription can be inaccurate.
+
+## Security and incident response
+
+Use short-lived, scoped credentials or an authenticated backend proxy. Encrypt
+stored data and backups, restrict operator access, audit access, rotate
+credentials, and maintain breach detection and notification procedures.
+
+The local filesystem store and in-process worker are development references,
+not a production compliance architecture.
+
+## Licensing and release records
+
+The SDK is MIT-licensed. Preserve its license and copyright notice when
+redistributing it. Production dependencies currently use permissive licenses.
+MPL-2.0 packages observed in the API lockfile belong to development tooling and
+are not present in the production dependency tree.
+
+For each release, archive:
+
+- dependency lockfiles, vulnerability audit results, and an SBOM;
+- third-party license notices;
+- privacy and security review evidence;
+- retention, deletion, access-control, and recovery test results;
+- current subprocessors and signed DPAs.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Andrey Shedko
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.