@wipcomputer/wip-ai-devops-toolbox 1.9.20

package/tools/wip-license-hook/README.md

@@ -0,0 +1,200 @@
+###### WIP Computer
+
+[![npm](https://img.shields.io/npm/v/@wipcomputer/wip-license-hook)](https://www.npmjs.com/package/@wipcomputer/wip-license-hook) [![CLI / TUI](https://img.shields.io/badge/interface-CLI_/_TUI-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-license-hook/cli.js) [![MCP Server](https://img.shields.io/badge/interface-MCP_Server-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-license-hook/mcp-server.mjs) [![Claude Code Skill](https://img.shields.io/badge/interface-Claude_Code_Skill-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-license-hook/SKILL.md) [![Universal Interface Spec](https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-universal-installer/SPEC.md)
+
+# wip-license-hook
+
+License rug-pull detection and dependency license compliance for open source projects.
+
+## The Problem
+
+You fork an MIT project. You build on it. Six months later, the upstream quietly changes to BSL or proprietary. You pull the update without checking. Now your project is poisoned.
+
+This has happened. It will happen again.
+
+## The Solution
+
+A pre-merge hook + daily scanner + public dashboard that:
+
+1. **Maintains a license ledger** of every dependency and fork at time of adoption
+2. **Gates all upstream merges** — if the license changed, the merge is blocked
+3. **Scans daily** — catches license drift before it reaches your codebase
+4. **Publishes a dashboard** — public proof of license health for anyone using your forks
+
+## How It Works
+
+### Git Hooks (Always On)
+
+**Two mandatory hooks. No bypass.**
+
+**Pre-pull** — before pulling anything from upstream:
+```
+git pull upstream main
+  → hook fires FIRST
+  → fetch without merge
+  → check LICENSE, package.json, SPDX headers
+  → compare against ledger
+  → SAME? → pull proceeds
+  → CHANGED? → BLOCK. Flag. Document. Notify. Do NOT pull.
+```
+
+**Pre-push** — before pushing any commit to our branch:
+```
+git push origin main
+  → hook fires FIRST
+  → check upstream license status
+  → compare against ledger
+  → SAME? → push proceeds
+  → CHANGED? → ALERT. Warn that upstream has drifted. Push still allowed (it's our code) but we know.
+```
+
+Pre-pull = hard gate (blocks).
+Pre-push = alert (warns, doesn't block our own work).
+
+### License Ledger
+
+`LICENSE-LEDGER.json` tracks every dependency:
+
+```json
+{
+  "dependencies": [
+    {
+      "name": "openclaw",
+      "source": "github:openclaw/openclaw",
+      "type": "fork",
+      "license_at_adoption": "MIT",
+      "license_current": "MIT",
+      "adopted_date": "2026-02-05",
+      "last_checked": "2026-02-15",
+      "commit_at_adoption": "abc123",
+      "status": "clean"
+    }
+  ],
+  "last_full_scan": "2026-02-15T08:00:00Z",
+  "alerts": []
+}
+```
+
+Status values: `clean` | `changed` | `removed` | `unknown`
+
+### LICENSE Snapshots
+
+Physical copies of LICENSE files at adoption. Not just metadata. Proof that survives git history rewrites.
+
+```
+ledger/
+  snapshots/
+    openclaw/
+      LICENSE-2026-02-05.txt    ← what it was when we forked
+      LICENSE-2026-02-15.txt    ← latest check
+```
+
+If they rug-pull and rewrite history, we have the receipt on disk.
+
+### Daily Cron Scan
+
+Runs every morning:
+
+1. For each fork: `git fetch upstream` (no merge), check LICENSE file
+2. For each npm/pip dependency: check registry for current license metadata
+3. Compare everything against the ledger
+4. Generate report
+5. If anything changed: alert immediately (message, email, or both)
+
+### Public Dashboard
+
+Static site (GitHub Pages or similar) generated from the ledger:
+
+- List of all dependencies and forks
+- License at adoption vs current license
+- Last checked date
+- Health status (green/yellow/red)
+- Proof links (commit hashes, archived LICENSE files)
+
+Anyone using our forks can verify: "WIP Computer adopted this when it was MIT, and it's still MIT."
+
+## Detection Methods
+
+### For Forks (git repos)
+- Check `LICENSE` / `LICENSE.md` / `COPYING` file content
+- Parse `package.json` license field
+- Check for SPDX headers in source files
+- Compare against known license text fingerprints
+
+### For npm Dependencies
+- `npm view <package> license`
+- Compare against ledger
+
+### For Python Dependencies
+- `pip show <package>` license field
+- PyPI API metadata
+
+## Installation
+
+### As an OpenClaw Skill
+```bash
+clawhub install wip-license-hook
+```
+
+### As a Git Hook
+```bash
+wip-license-hook install --repo .
+```
+
+### As a Cron Job
+```bash
+wip-license-hook scan --all --report
+```
+
+## Architecture
+
+```
+core/
+  scanner.ts       — license detection logic
+  ledger.ts        — ledger read/write/compare
+  detector.ts      — license text fingerprinting
+  reporter.ts      — generate reports and alerts
+cli/
+  index.ts         — CLI wrapper
+skill/
+  SKILL.md         — OpenClaw/agent skill definition
+dashboard/
+  index.html       — static dashboard generator
+hooks/
+  pre-merge.sh     — git hook script
+```
+
+## Commands
+
+```bash
+wip-license-hook init              # Initialize ledger for current project
+wip-license-hook scan              # Scan all deps, update ledger
+wip-license-hook check <dep>       # Check specific dependency
+wip-license-hook gate              # Pre-merge license gate (for hooks)
+wip-license-hook report            # Generate report
+wip-license-hook dashboard         # Generate static dashboard
+wip-license-hook alert             # Send alerts for any changes
+```
+
+## Why This Matters
+
+> "Been dubious of MIT open source. Seen too many pull it or hide non-MIT bins for it all to work."
+
+This tool is the guardrail. The receipt. The proof.
+
+If your dependency gets rug-pulled, you have:
+- The exact commit where the license was what you agreed to
+- Documentation of when and what changed
+- A clean fork point to fall back to
+- Public proof for anyone downstream of you
+
+## License
+
+```
+CLI, MCP server, skills                        MIT    (use anywhere, no restrictions)
+Hosted or cloud service use                    AGPL   (network service distribution)
+```
+
+AGPL for personal use is free.
+
+Built by Parker Todd Brooks, Lēsa (OpenClaw, Claude Opus 4.6), Claude Code (Claude Opus 4.6).

package/tools/wip-license-hook/SKILL.md

@@ -0,0 +1,111 @@
+---
+name: wip-license-hook
+description: License rug-pull detection. Scans dependencies and forks for license changes, gates upstream merges, maintains a license ledger, and generates a public compliance dashboard.
+license: MIT
+interface: [cli, module, mcp]
+metadata:
+  display-name: "License Rug-Pull Detection"
+  version: "1.0.0"
+  homepage: "https://github.com/wipcomputer/wip-ai-devops-toolbox"
+  author: "Parker Todd Brooks"
+  category: dev-tools
+  capabilities:
+    - license-scanning
+    - rug-pull-detection
+    - compliance-gating
+    - license-ledger
+  requires:
+    bins: [node, git, npm]
+  openclaw:
+    requires:
+      bins: [node, git, npm]
+    install:
+      - id: node
+        kind: node
+        package: "@wipcomputer/wip-license-hook"
+        bins: [wip-license-hook]
+        label: "Install via npm"
+    emoji: "🛡️"
+compatibility: Requires git, npm, node. Node.js 18+.
+---
+
+# wip-license-hook
+
+Detect license rug-pulls before they reach your codebase.
+
+## Commands
+
+### Initialize ledger for a project
+```bash
+wip-license-hook init --repo /path/to/repo
+```
+Scans all current dependencies and forks, records their licenses, creates `LICENSE-LEDGER.json`.
+
+### Scan all dependencies
+```bash
+wip-license-hook scan --all
+```
+Checks every dependency and fork against the ledger. Updates `last_checked`. Flags any changes.
+
+### Pre-merge gate
+```bash
+wip-license-hook gate --upstream <remote>
+```
+Fetches upstream without merging. Checks license. Returns exit code 0 (safe) or 1 (changed/blocked).
+
+Use in git hooks or CI.
+
+### Generate report
+```bash
+wip-license-hook report
+```
+Outputs a human-readable license health report.
+
+### Generate dashboard
+```bash
+wip-license-hook dashboard --output ./docs
+```
+Creates a static HTML dashboard from the ledger. Deploy to GitHub Pages.
+
+## Daily Cron Usage
+
+Add to HEARTBEAT.md or as a cron job:
+```
+wip-license-hook scan --all --alert
+```
+
+If any license changed, sends alert via configured channel (email, iMessage, Discord).
+
+## What It Detects
+
+- LICENSE file content changes
+- package.json license field changes
+- SPDX header changes
+- License removal (file deleted)
+- License downgrade (permissive → restrictive)
+
+## What It Does NOT Do
+
+- It does not legal advice make
+- It does not auto-merge anything ever
+- It does not modify upstream code
+
+## Alert Levels
+
+- 🟢 **Clean** — license unchanged since adoption
+- 🟡 **Warning** — license metadata inconsistency (e.g., LICENSE file says MIT but package.json says ISC)
+- 🔴 **Blocked** — license changed from what was adopted. Merge blocked. Human review required.
+
+## MCP
+
+Tools: `license_scan`, `license_audit`, `license_gate`, `license_ledger`
+
+Add to `.mcp.json`:
+```json
+{
+  "wip-license-hook": {
+    "command": "node",
+    "args": ["/path/to/tools/wip-license-hook/mcp-server.mjs"]
+  }
+}
+```

package/tools/wip-license-hook/dist/cli/index.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+/**
+ * wip-license-hook CLI
+ *
+ * Commands:
+ *   init        Initialize ledger for current project
+ *   scan        Scan all deps, update ledger
+ *   check <dep> Check specific dependency
+ *   gate        Pre-merge license gate (for hooks)
+ *   report      Print ledger report
+ *   dashboard   Generate static dashboard HTML
+ *   alert       Print current alerts
+ *   install     Install git hooks in current repo
+ */
+export {};

package/tools/wip-license-hook/dist/cli/index.js

@@ -0,0 +1,170 @@
+#!/usr/bin/env node
+/**
+ * wip-license-hook CLI
+ *
+ * Commands:
+ *   init        Initialize ledger for current project
+ *   scan        Scan all deps, update ledger
+ *   check <dep> Check specific dependency
+ *   gate        Pre-merge license gate (for hooks)
+ *   report      Print ledger report
+ *   dashboard   Generate static dashboard HTML
+ *   alert       Print current alerts
+ *   install     Install git hooks in current repo
+ */
+import { resolve } from "node:path";
+import { existsSync, mkdirSync, copyFileSync } from "node:fs";
+import { readLedger, writeLedger, createEmptyLedger, findEntry, scanAndUpdate, gateCheck, formatScanReport, formatGateOutput, formatLedgerReport, writeDashboard, generateBadgeUrl, } from "../core/index.js";
+const args = process.argv.slice(2);
+const command = args[0];
+const flags = new Set(args.filter((a) => a.startsWith("--")));
+const positional = args.filter((a) => !a.startsWith("--")).slice(1);
+const repoRoot = resolve(process.cwd());
+const offline = flags.has("--offline");
+const verbose = flags.has("--verbose");
+function help() {
+    console.log(`
+wip-license-hook — License rug-pull detection
+
+Usage: wip-license-hook <command> [options]
+
+Commands:
+  init              Initialize LICENSE-LEDGER.json
+  scan              Scan all dependencies, update ledger
+  check <name>      Check a specific dependency
+  gate              Pre-merge license gate (exit 1 if changed)
+  report            Print ledger status
+  dashboard         Generate static HTML dashboard
+  alert             Show current alerts
+  install           Install git hooks in .git/hooks/
+  badge             Print shields.io badge URL
+
+Options:
+  --offline         Skip network calls (use cached data only)
+  --verbose         Verbose output
+  --help            Show this help
+`);
+}
+async function main() {
+    if (!command || command === "--help" || flags.has("--help")) {
+        help();
+        return;
+    }
+    switch (command) {
+        case "init": {
+            const ledgerPath = resolve(repoRoot, "LICENSE-LEDGER.json");
+            if (existsSync(ledgerPath)) {
+                console.log("⚠️  LICENSE-LEDGER.json already exists. Use 'scan' to update.");
+                return;
+            }
+            writeLedger(repoRoot, createEmptyLedger());
+            mkdirSync(resolve(repoRoot, "ledger/snapshots"), { recursive: true });
+            console.log("✅ Initialized LICENSE-LEDGER.json and ledger/snapshots/");
+            console.log("   Run 'wip-license-hook scan' to populate.");
+            break;
+        }
+        case "scan": {
+            console.log(offline ? "📡 Scanning (offline mode)..." : "📡 Scanning dependencies...");
+            const results = scanAndUpdate({ repoRoot, offline, verbose });
+            console.log(formatScanReport(results));
+            break;
+        }
+        case "check": {
+            const name = positional[0];
+            if (!name) {
+                console.error("Usage: wip-license-hook check <dependency-name>");
+                process.exit(1);
+            }
+            const ledger = readLedger(repoRoot);
+            const entry = findEntry(ledger, name);
+            if (!entry) {
+                console.log(`❓ ${name} not found in ledger. Run 'scan' first.`);
+                process.exit(1);
+            }
+            console.log(`\n  ${entry.status === "clean" ? "✅" : "🚫"} ${entry.name}`);
+            console.log(`     Type:    ${entry.type}`);
+            console.log(`     Source:  ${entry.source}`);
+            console.log(`     Adopted: ${entry.license_at_adoption} on ${entry.adopted_date}`);
+            console.log(`     Current: ${entry.license_current} (checked ${entry.last_checked})`);
+            console.log(`     Status:  ${entry.status}\n`);
+            break;
+        }
+        case "gate": {
+            if (offline) {
+                console.log("⚠️  Offline mode — skipping license gate (cannot verify upstream).");
+                console.log("    Your push will proceed, but licenses were NOT checked.");
+                process.exit(0);
+            }
+            const { safe, alerts } = gateCheck(repoRoot, offline);
+            console.log(formatGateOutput(safe, alerts));
+            if (!safe)
+                process.exit(1);
+            break;
+        }
+        case "report": {
+            const ledger = readLedger(repoRoot);
+            console.log(formatLedgerReport(ledger));
+            break;
+        }
+        case "dashboard": {
+            const outPath = writeDashboard(repoRoot);
+            console.log(`✅ Dashboard written to ${outPath}`);
+            break;
+        }
+        case "alert": {
+            const ledger = readLedger(repoRoot);
+            if (ledger.alerts.length === 0) {
+                console.log("✅ No active alerts.");
+            }
+            else {
+                console.log(`\n⚠️  ${ledger.alerts.length} alert(s):\n`);
+                for (const a of ledger.alerts) {
+                    console.log(`  ${a.message}`);
+                    console.log(`  Detected: ${a.detected}\n`);
+                }
+            }
+            break;
+        }
+        case "install": {
+            const hooksDir = resolve(repoRoot, ".git/hooks");
+            if (!existsSync(resolve(repoRoot, ".git"))) {
+                console.error("❌ Not a git repository. Run from a git repo root.");
+                process.exit(1);
+            }
+            mkdirSync(hooksDir, { recursive: true });
+            // Find hooks relative to the package
+            const pkgRoot = resolve(new URL(".", import.meta.url).pathname, "../../..");
+            const prePullSrc = resolve(pkgRoot, "hooks/pre-pull.sh");
+            const preCommitSrc = resolve(pkgRoot, "hooks/pre-push.sh");
+            for (const [src, dest] of [
+                [prePullSrc, resolve(hooksDir, "pre-merge-commit")],
+                [preCommitSrc, resolve(hooksDir, "pre-push")],
+            ]) {
+                if (existsSync(src)) {
+                    copyFileSync(src, dest);
+                    const { chmodSync } = await import("node:fs");
+                    chmodSync(dest, 0o755);
+                    console.log(`✅ Installed ${dest}`);
+                }
+                else {
+                    console.log(`⚠️  Hook source not found: ${src}`);
+                }
+            }
+            break;
+        }
+        case "badge": {
+            const ledger = readLedger(repoRoot);
+            console.log(generateBadgeUrl(ledger));
+            break;
+        }
+        default:
+            console.error(`Unknown command: ${command}`);
+            help();
+            process.exit(1);
+    }
+}
+main().catch((err) => {
+    console.error("Fatal error:", err.message);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/tools/wip-license-hook/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,UAAU,EAAiB,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EACL,UAAU,EAAE,WAAW,EAAE,iBAAiB,EAAE,SAAS,EACrD,aAAa,EAAE,SAAS,EACxB,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EACtD,cAAc,EAAE,gBAAgB,GACjC,MAAM,kBAAkB,CAAC;AAE1B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AACxB,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEpE,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;AACxC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AACvC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAEvC,SAAS,IAAI;IACX,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;CAoBb,CAAC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5D,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;YAC5D,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;gBAC7E,OAAO;YACT,CAAC;YACD,WAAW,CAAC,QAAQ,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAC3C,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,kBAAkB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACtE,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;YAC3D,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC;YACvF,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC9D,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;YACvC,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAC3B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACtC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,yCAAyC,CAAC,CAAC;gBAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1E,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,mBAAmB,OAAO,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;YACnF,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,eAAe,aAAa,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC;YACtF,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC;YAC/C,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;gBAClF,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;gBAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC3B,MAAM;QACR,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;YACxC,MAAM;QACR,CAAC;QAED,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,OAAO,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;YACjD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,MAAM,CAAC,MAAM,cAAc,CAAC,CAAC;gBACzD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC9B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC;gBAC7C,CAAC;YACH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACjD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC3C,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEzC,qCAAqC;YACrC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC5E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;YACzD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;YAE3D,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI;gBACxB,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;gBACnD,CAAC,YAAY,EAAE,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;aAC9C,EAAE,CAAC;gBACF,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpB,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;oBACxB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;oBAC9C,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;gBACrC,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,GAAG,EAAE,CAAC,CAAC;gBACnD,CAAC;YACH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM;QACR,CAAC;QAED;YACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;YAC7C,IAAI,EAAE,CAAC;YACP,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/tools/wip-license-hook/dist/core/detector.d.ts

@@ -0,0 +1,12 @@
+/**
+ * License text fingerprinting — identifies license type from file content.
+ */
+export type LicenseId = "MIT" | "Apache-2.0" | "BSD-2-Clause" | "BSD-3-Clause" | "GPL-2.0" | "GPL-3.0" | "LGPL-2.1" | "LGPL-3.0" | "MPL-2.0" | "ISC" | "BSL-1.1" | "SSPL-1.0" | "Unlicense" | "AGPL-3.0" | "UNKNOWN";
+/**
+ * Detect license type from raw license file text.
+ */
+export declare function detectLicenseFromText(text: string): LicenseId;
+/**
+ * Normalize a license SPDX identifier from package metadata.
+ */
+export declare function normalizeSpdx(raw: string): LicenseId;

package/tools/wip-license-hook/dist/core/detector.js

@@ -0,0 +1,104 @@
+/**
+ * License text fingerprinting — identifies license type from file content.
+ */
+const FINGERPRINTS = [
+    {
+        id: "MIT",
+        markers: ["permission is hereby granted, free of charge", "the software is provided \"as is\""],
+        antiMarkers: ["apache", "gnu general public"],
+    },
+    {
+        id: "Apache-2.0",
+        markers: ["apache license", "version 2.0"],
+    },
+    {
+        id: "GPL-3.0",
+        markers: ["gnu general public license", "version 3"],
+        antiMarkers: ["lesser general public"],
+    },
+    {
+        id: "GPL-2.0",
+        markers: ["gnu general public license", "version 2"],
+        antiMarkers: ["lesser general public", "version 3"],
+    },
+    {
+        id: "LGPL-3.0",
+        markers: ["gnu lesser general public license", "version 3"],
+    },
+    {
+        id: "LGPL-2.1",
+        markers: ["gnu lesser general public license", "version 2.1"],
+    },
+    {
+        id: "AGPL-3.0",
+        markers: ["gnu affero general public license", "version 3"],
+    },
+    {
+        id: "BSD-3-Clause",
+        markers: ["redistribution and use in source and binary forms", "neither the name"],
+    },
+    {
+        id: "BSD-2-Clause",
+        markers: ["redistribution and use in source and binary forms"],
+        antiMarkers: ["neither the name"],
+    },
+    {
+        id: "MPL-2.0",
+        markers: ["mozilla public license", "version 2.0"],
+    },
+    {
+        id: "ISC",
+        markers: ["isc license", "permission to use, copy, modify"],
+    },
+    {
+        id: "BSL-1.1",
+        markers: ["business source license", "1.1"],
+    },
+    {
+        id: "SSPL-1.0",
+        markers: ["server side public license"],
+    },
+    {
+        id: "Unlicense",
+        markers: ["this is free and unencumbered software released into the public domain"],
+    },
+];
+/**
+ * Detect license type from raw license file text.
+ */
+export function detectLicenseFromText(text) {
+    const lower = text.toLowerCase();
+    for (const fp of FINGERPRINTS) {
+        const allMatch = fp.markers.every((m) => lower.includes(m));
+        const anyAnti = fp.antiMarkers?.some((m) => lower.includes(m)) ?? false;
+        if (allMatch && !anyAnti)
+            return fp.id;
+    }
+    return "UNKNOWN";
+}
+/**
+ * Normalize a license SPDX identifier from package metadata.
+ */
+export function normalizeSpdx(raw) {
+    const map = {
+        mit: "MIT",
+        "apache-2.0": "Apache-2.0",
+        apache2: "Apache-2.0",
+        "bsd-2-clause": "BSD-2-Clause",
+        "bsd-3-clause": "BSD-3-Clause",
+        "gpl-2.0": "GPL-2.0",
+        "gpl-3.0": "GPL-3.0",
+        "gpl-3.0-only": "GPL-3.0",
+        "lgpl-2.1": "LGPL-2.1",
+        "lgpl-3.0": "LGPL-3.0",
+        "mpl-2.0": "MPL-2.0",
+        isc: "ISC",
+        "bsl-1.1": "BSL-1.1",
+        "sspl-1.0": "SSPL-1.0",
+        unlicense: "Unlicense",
+        "agpl-3.0": "AGPL-3.0",
+        "agpl-3.0-only": "AGPL-3.0",
+    };
+    return map[raw.toLowerCase().trim()] ?? "UNKNOWN";
+}
+//# sourceMappingURL=detector.js.map

package/tools/wip-license-hook/dist/core/detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector.js","sourceRoot":"","sources":["../../src/core/detector.ts"],"names":[],"mappings":"AAAA;;GAEG;AAyBH,MAAM,YAAY,GAAkB;IAClC;QACE,EAAE,EAAE,KAAK;QACT,OAAO,EAAE,CAAC,8CAA8C,EAAE,oCAAoC,CAAC;QAC/F,WAAW,EAAE,CAAC,QAAQ,EAAE,oBAAoB,CAAC;KAC9C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,OAAO,EAAE,CAAC,gBAAgB,EAAE,aAAa,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,4BAA4B,EAAE,WAAW,CAAC;QACpD,WAAW,EAAE,CAAC,uBAAuB,CAAC;KACvC;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,4BAA4B,EAAE,WAAW,CAAC;QACpD,WAAW,EAAE,CAAC,uBAAuB,EAAE,WAAW,CAAC;KACpD;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,mCAAmC,EAAE,WAAW,CAAC;KAC5D;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,mCAAmC,EAAE,aAAa,CAAC;KAC9D;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,mCAAmC,EAAE,WAAW,CAAC;KAC5D;IACD;QACE,EAAE,EAAE,cAAc;QAClB,OAAO,EAAE,CAAC,mDAAmD,EAAE,kBAAkB,CAAC;KACnF;IACD;QACE,EAAE,EAAE,cAAc;QAClB,OAAO,EAAE,CAAC,mDAAmD,CAAC;QAC9D,WAAW,EAAE,CAAC,kBAAkB,CAAC;KAClC;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,wBAAwB,EAAE,aAAa,CAAC;KACnD;IACD;QACE,EAAE,EAAE,KAAK;QACT,OAAO,EAAE,CAAC,aAAa,EAAE,iCAAiC,CAAC;KAC5D;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,yBAAyB,EAAE,KAAK,CAAC;KAC5C;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,4BAA4B,CAAC;KACxC;IACD;QACE,EAAE,EAAE,WAAW;QACf,OAAO,EAAE,CAAC,wEAAwE,CAAC;KACpF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAEjC,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5D,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;QACxE,IAAI,QAAQ,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IACzC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,GAAG,GAA8B;QACrC,GAAG,EAAE,KAAK;QACV,YAAY,EAAE,YAAY;QAC1B,OAAO,EAAE,YAAY;QACrB,cAAc,EAAE,cAAc;QAC9B,cAAc,EAAE,cAAc;QAC9B,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;QACpB,cAAc,EAAE,SAAS;QACzB,UAAU,EAAE,UAAU;QACtB,UAAU,EAAE,UAAU;QACtB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,KAAK;QACV,SAAS,EAAE,SAAS;QACpB,UAAU,EAAE,UAAU;QACtB,SAAS,EAAE,WAAW;QACtB,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,UAAU;KAC5B,CAAC;IACF,OAAO,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,IAAI,SAAS,CAAC;AACpD,CAAC"}

package/tools/wip-license-hook/dist/core/index.d.ts

@@ -0,0 +1,4 @@
+export { detectLicenseFromText, normalizeSpdx, type LicenseId } from "./detector.js";
+export { readLedger, writeLedger, createEmptyLedger, findEntry, upsertEntry, archiveSnapshot, hasLicenseChanged, addAlert, type Ledger, type LedgerEntry, type Alert, type DependencyType, type DependencyStatus } from "./ledger.js";
+export { scanAll, scanAndUpdate, gateCheck, findLicenseFile, readLicenseFromDir, type ScanResult } from "./scanner.js";
+export { formatScanReport, formatGateOutput, formatLedgerReport, generateDashboardHtml, generateBadgeUrl, writeDashboard } from "./reporter.js";

package/tools/wip-license-hook/dist/core/index.js

@@ -0,0 +1,5 @@
+export { detectLicenseFromText, normalizeSpdx } from "./detector.js";
+export { readLedger, writeLedger, createEmptyLedger, findEntry, upsertEntry, archiveSnapshot, hasLicenseChanged, addAlert } from "./ledger.js";
+export { scanAll, scanAndUpdate, gateCheck, findLicenseFile, readLicenseFromDir } from "./scanner.js";
+export { formatScanReport, formatGateOutput, formatLedgerReport, generateDashboardHtml, generateBadgeUrl, writeDashboard } from "./reporter.js";
+//# sourceMappingURL=index.js.map

package/tools/wip-license-hook/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAkB,MAAM,eAAe,CAAC;AACrF,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,iBAAiB,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,iBAAiB,EAAE,QAAQ,EAAyF,MAAM,aAAa,CAAC;AACtO,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,eAAe,EAAE,kBAAkB,EAAmB,MAAM,cAAc,CAAC;AACvH,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC"}