@wipcomputer/wip-license-hook 1.0.0

package/LICENSE

@@ -0,0 +1,52 @@
+Dual License: MIT + AGPLv3
+
+Copyright (c) 2026 WIP Computer, Inc.
+
+
+1. MIT License (local and personal use)
+---------------------------------------
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+2. GNU Affero General Public License v3.0 (commercial and cloud use)
+--------------------------------------------------------------------
+
+If you run this software as part of a hosted service, cloud platform,
+marketplace listing, or any network-accessible offering for commercial
+purposes, the AGPLv3 terms apply. You must either:
+
+  a) Release your complete source code under AGPLv3, or
+  b) Obtain a commercial license.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+
+AGPLv3 for personal use is free. Commercial licenses available.

package/README.md

@@ -0,0 +1,200 @@
+###### WIP Computer
+
+[![npm](https://img.shields.io/npm/v/@wipcomputer/wip-license-hook)](https://www.npmjs.com/package/@wipcomputer/wip-license-hook) [![CLI / TUI](https://img.shields.io/badge/interface-CLI_/_TUI-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-license-hook/cli.js) [![MCP Server](https://img.shields.io/badge/interface-MCP_Server-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-license-hook/mcp-server.mjs) [![Claude Code Skill](https://img.shields.io/badge/interface-Claude_Code_Skill-black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-license-hook/SKILL.md) [![Universal Interface Spec](https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black)](https://github.com/wipcomputer/wip-ai-devops-toolbox/blob/main/tools/wip-universal-installer/SPEC.md)
+
+# wip-license-hook
+
+License rug-pull detection and dependency license compliance for open source projects.
+
+## The Problem
+
+You fork an MIT project. You build on it. Six months later, the upstream quietly changes to BSL or proprietary. You pull the update without checking. Now your project is poisoned.
+
+This has happened. It will happen again.
+
+## The Solution
+
+A pre-merge hook + daily scanner + public dashboard that:
+
+1. **Maintains a license ledger** of every dependency and fork at time of adoption
+2. **Gates all upstream merges** — if the license changed, the merge is blocked
+3. **Scans daily** — catches license drift before it reaches your codebase
+4. **Publishes a dashboard** — public proof of license health for anyone using your forks
+
+## How It Works
+
+### Git Hooks (Always On)
+
+**Two mandatory hooks. No bypass.**
+
+**Pre-pull** — before pulling anything from upstream:
+```
+git pull upstream main
+  → hook fires FIRST
+  → fetch without merge
+  → check LICENSE, package.json, SPDX headers
+  → compare against ledger
+  → SAME? → pull proceeds
+  → CHANGED? → BLOCK. Flag. Document. Notify. Do NOT pull.
+```
+
+**Pre-push** — before pushing any commit to our branch:
+```
+git push origin main
+  → hook fires FIRST
+  → check upstream license status
+  → compare against ledger
+  → SAME? → push proceeds
+  → CHANGED? → ALERT. Warn that upstream has drifted. Push still allowed (it's our code) but we know.
+```
+
+Pre-pull = hard gate (blocks).
+Pre-push = alert (warns, doesn't block our own work).
+
+### License Ledger
+
+`LICENSE-LEDGER.json` tracks every dependency:
+
+```json
+{
+  "dependencies": [
+    {
+      "name": "openclaw",
+      "source": "github:openclaw/openclaw",
+      "type": "fork",
+      "license_at_adoption": "MIT",
+      "license_current": "MIT",
+      "adopted_date": "2026-02-05",
+      "last_checked": "2026-02-15",
+      "commit_at_adoption": "abc123",
+      "status": "clean"
+    }
+  ],
+  "last_full_scan": "2026-02-15T08:00:00Z",
+  "alerts": []
+}
+```
+
+Status values: `clean` | `changed` | `removed` | `unknown`
+
+### LICENSE Snapshots
+
+Physical copies of LICENSE files at adoption. Not just metadata. Proof that survives git history rewrites.
+
+```
+ledger/
+  snapshots/
+    openclaw/
+      LICENSE-2026-02-05.txt    ← what it was when we forked
+      LICENSE-2026-02-15.txt    ← latest check
+```
+
+If they rug-pull and rewrite history, we have the receipt on disk.
+
+### Daily Cron Scan
+
+Runs every morning:
+
+1. For each fork: `git fetch upstream` (no merge), check LICENSE file
+2. For each npm/pip dependency: check registry for current license metadata
+3. Compare everything against the ledger
+4. Generate report
+5. If anything changed: alert immediately (message, email, or both)
+
+### Public Dashboard
+
+Static site (GitHub Pages or similar) generated from the ledger:
+
+- List of all dependencies and forks
+- License at adoption vs current license
+- Last checked date
+- Health status (green/yellow/red)
+- Proof links (commit hashes, archived LICENSE files)
+
+Anyone using our forks can verify: "WIP Computer adopted this when it was MIT, and it's still MIT."
+
+## Detection Methods
+
+### For Forks (git repos)
+- Check `LICENSE` / `LICENSE.md` / `COPYING` file content
+- Parse `package.json` license field
+- Check for SPDX headers in source files
+- Compare against known license text fingerprints
+
+### For npm Dependencies
+- `npm view <package> license`
+- Compare against ledger
+
+### For Python Dependencies
+- `pip show <package>` license field
+- PyPI API metadata
+
+## Installation
+
+### As an OpenClaw Skill
+```bash
+clawhub install wip-license-hook
+```
+
+### As a Git Hook
+```bash
+wip-license-hook install --repo .
+```
+
+### As a Cron Job
+```bash
+wip-license-hook scan --all --report
+```
+
+## Architecture
+
+```
+core/
+  scanner.ts       — license detection logic
+  ledger.ts        — ledger read/write/compare
+  detector.ts      — license text fingerprinting
+  reporter.ts      — generate reports and alerts
+cli/
+  index.ts         — CLI wrapper
+skill/
+  SKILL.md         — OpenClaw/agent skill definition
+dashboard/
+  index.html       — static dashboard generator
+hooks/
+  pre-merge.sh     — git hook script
+```
+
+## Commands
+
+```bash
+wip-license-hook init              # Initialize ledger for current project
+wip-license-hook scan              # Scan all deps, update ledger
+wip-license-hook check <dep>       # Check specific dependency
+wip-license-hook gate              # Pre-merge license gate (for hooks)
+wip-license-hook report            # Generate report
+wip-license-hook dashboard         # Generate static dashboard
+wip-license-hook alert             # Send alerts for any changes
+```
+
+## Why This Matters
+
+> "Been dubious of MIT open source. Seen too many pull it or hide non-MIT bins for it all to work."
+
+This tool is the guardrail. The receipt. The proof.
+
+If your dependency gets rug-pulled, you have:
+- The exact commit where the license was what you agreed to
+- Documentation of when and what changed
+- A clean fork point to fall back to
+- Public proof for anyone downstream of you
+
+## License
+
+```
+CLI, MCP server, skills                        MIT    (use anywhere, no restrictions)
+Hosted or cloud service use                    AGPL   (network service distribution)
+```
+
+AGPL for personal use is free.
+
+Built by Parker Todd Brooks, Lēsa (OpenClaw, Claude Opus 4.6), Claude Code (Claude Opus 4.6).

package/dist/cli/index.d.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+/**
+ * wip-license-hook CLI
+ *
+ * Commands:
+ *   init        Initialize ledger for current project
+ *   scan        Scan all deps, update ledger
+ *   check <dep> Check specific dependency
+ *   gate        Pre-merge license gate (for hooks)
+ *   report      Print ledger report
+ *   dashboard   Generate static dashboard HTML
+ *   alert       Print current alerts
+ *   install     Install git hooks in current repo
+ */
+export {};

package/dist/cli/index.js

@@ -0,0 +1,170 @@
+#!/usr/bin/env node
+/**
+ * wip-license-hook CLI
+ *
+ * Commands:
+ *   init        Initialize ledger for current project
+ *   scan        Scan all deps, update ledger
+ *   check <dep> Check specific dependency
+ *   gate        Pre-merge license gate (for hooks)
+ *   report      Print ledger report
+ *   dashboard   Generate static dashboard HTML
+ *   alert       Print current alerts
+ *   install     Install git hooks in current repo
+ */
+import { resolve } from "node:path";
+import { existsSync, mkdirSync, copyFileSync } from "node:fs";
+import { readLedger, writeLedger, createEmptyLedger, findEntry, scanAndUpdate, gateCheck, formatScanReport, formatGateOutput, formatLedgerReport, writeDashboard, generateBadgeUrl, } from "../core/index.js";
+const args = process.argv.slice(2);
+const command = args[0];
+const flags = new Set(args.filter((a) => a.startsWith("--")));
+const positional = args.filter((a) => !a.startsWith("--")).slice(1);
+const repoRoot = resolve(process.cwd());
+const offline = flags.has("--offline");
+const verbose = flags.has("--verbose");
+function help() {
+    console.log(`
+wip-license-hook — License rug-pull detection
+
+Usage: wip-license-hook <command> [options]
+
+Commands:
+  init              Initialize LICENSE-LEDGER.json
+  scan              Scan all dependencies, update ledger
+  check <name>      Check a specific dependency
+  gate              Pre-merge license gate (exit 1 if changed)
+  report            Print ledger status
+  dashboard         Generate static HTML dashboard
+  alert             Show current alerts
+  install           Install git hooks in .git/hooks/
+  badge             Print shields.io badge URL
+
+Options:
+  --offline         Skip network calls (use cached data only)
+  --verbose         Verbose output
+  --help            Show this help
+`);
+}
+async function main() {
+    if (!command || command === "--help" || flags.has("--help")) {
+        help();
+        return;
+    }
+    switch (command) {
+        case "init": {
+            const ledgerPath = resolve(repoRoot, "LICENSE-LEDGER.json");
+            if (existsSync(ledgerPath)) {
+                console.log("⚠️  LICENSE-LEDGER.json already exists. Use 'scan' to update.");
+                return;
+            }
+            writeLedger(repoRoot, createEmptyLedger());
+            mkdirSync(resolve(repoRoot, "ledger/snapshots"), { recursive: true });
+            console.log("✅ Initialized LICENSE-LEDGER.json and ledger/snapshots/");
+            console.log("   Run 'wip-license-hook scan' to populate.");
+            break;
+        }
+        case "scan": {
+            console.log(offline ? "📡 Scanning (offline mode)..." : "📡 Scanning dependencies...");
+            const results = scanAndUpdate({ repoRoot, offline, verbose });
+            console.log(formatScanReport(results));
+            break;
+        }
+        case "check": {
+            const name = positional[0];
+            if (!name) {
+                console.error("Usage: wip-license-hook check <dependency-name>");
+                process.exit(1);
+            }
+            const ledger = readLedger(repoRoot);
+            const entry = findEntry(ledger, name);
+            if (!entry) {
+                console.log(`❓ ${name} not found in ledger. Run 'scan' first.`);
+                process.exit(1);
+            }
+            console.log(`\n  ${entry.status === "clean" ? "✅" : "🚫"} ${entry.name}`);
+            console.log(`     Type:    ${entry.type}`);
+            console.log(`     Source:  ${entry.source}`);
+            console.log(`     Adopted: ${entry.license_at_adoption} on ${entry.adopted_date}`);
+            console.log(`     Current: ${entry.license_current} (checked ${entry.last_checked})`);
+            console.log(`     Status:  ${entry.status}\n`);
+            break;
+        }
+        case "gate": {
+            if (offline) {
+                console.log("⚠️  Offline mode — skipping license gate (cannot verify upstream).");
+                console.log("    Your push will proceed, but licenses were NOT checked.");
+                process.exit(0);
+            }
+            const { safe, alerts } = gateCheck(repoRoot, offline);
+            console.log(formatGateOutput(safe, alerts));
+            if (!safe)
+                process.exit(1);
+            break;
+        }
+        case "report": {
+            const ledger = readLedger(repoRoot);
+            console.log(formatLedgerReport(ledger));
+            break;
+        }
+        case "dashboard": {
+            const outPath = writeDashboard(repoRoot);
+            console.log(`✅ Dashboard written to ${outPath}`);
+            break;
+        }
+        case "alert": {
+            const ledger = readLedger(repoRoot);
+            if (ledger.alerts.length === 0) {
+                console.log("✅ No active alerts.");
+            }
+            else {
+                console.log(`\n⚠️  ${ledger.alerts.length} alert(s):\n`);
+                for (const a of ledger.alerts) {
+                    console.log(`  ${a.message}`);
+                    console.log(`  Detected: ${a.detected}\n`);
+                }
+            }
+            break;
+        }
+        case "install": {
+            const hooksDir = resolve(repoRoot, ".git/hooks");
+            if (!existsSync(resolve(repoRoot, ".git"))) {
+                console.error("❌ Not a git repository. Run from a git repo root.");
+                process.exit(1);
+            }
+            mkdirSync(hooksDir, { recursive: true });
+            // Find hooks relative to the package
+            const pkgRoot = resolve(new URL(".", import.meta.url).pathname, "../../..");
+            const prePullSrc = resolve(pkgRoot, "hooks/pre-pull.sh");
+            const preCommitSrc = resolve(pkgRoot, "hooks/pre-push.sh");
+            for (const [src, dest] of [
+                [prePullSrc, resolve(hooksDir, "pre-merge-commit")],
+                [preCommitSrc, resolve(hooksDir, "pre-push")],
+            ]) {
+                if (existsSync(src)) {
+                    copyFileSync(src, dest);
+                    const { chmodSync } = await import("node:fs");
+                    chmodSync(dest, 0o755);
+                    console.log(`✅ Installed ${dest}`);
+                }
+                else {
+                    console.log(`⚠️  Hook source not found: ${src}`);
+                }
+            }
+            break;
+        }
+        case "badge": {
+            const ledger = readLedger(repoRoot);
+            console.log(generateBadgeUrl(ledger));
+            break;
+        }
+        default:
+            console.error(`Unknown command: ${command}`);
+            help();
+            process.exit(1);
+    }
+}
+main().catch((err) => {
+    console.error("Fatal error:", err.message);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,UAAU,EAAiB,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EACL,UAAU,EAAE,WAAW,EAAE,iBAAiB,EAAE,SAAS,EACrD,aAAa,EAAE,SAAS,EACxB,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EACtD,cAAc,EAAE,gBAAgB,GACjC,MAAM,kBAAkB,CAAC;AAE1B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AACxB,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEpE,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;AACxC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AACvC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAEvC,SAAS,IAAI;IACX,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;CAoBb,CAAC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5D,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;YAC5D,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;gBAC7E,OAAO;YACT,CAAC;YACD,WAAW,CAAC,QAAQ,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAC3C,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,kBAAkB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACtE,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;YAC3D,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC;YACvF,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC9D,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;YACvC,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAC3B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACtC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,yCAAyC,CAAC,CAAC;gBAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1E,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,mBAAmB,OAAO,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;YACnF,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,eAAe,aAAa,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC;YACtF,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC;YAC/C,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;gBAClF,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;gBAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC3B,MAAM;QACR,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;YACxC,MAAM;QACR,CAAC;QAED,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,OAAO,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;YACjD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,MAAM,CAAC,MAAM,cAAc,CAAC,CAAC;gBACzD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC9B,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC;gBAC7C,CAAC;YACH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACjD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC3C,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEzC,qCAAqC;YACrC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC5E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;YACzD,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;YAE3D,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI;gBACxB,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;gBACnD,CAAC,YAAY,EAAE,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;aAC9C,EAAE,CAAC;gBACF,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpB,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;oBACxB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;oBAC9C,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;gBACrC,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,GAAG,EAAE,CAAC,CAAC;gBACnD,CAAC;YACH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM;QACR,CAAC;QAED;YACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;YAC7C,IAAI,EAAE,CAAC;YACP,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/core/detector.d.ts

@@ -0,0 +1,12 @@
+/**
+ * License text fingerprinting — identifies license type from file content.
+ */
+export type LicenseId = "MIT" | "Apache-2.0" | "BSD-2-Clause" | "BSD-3-Clause" | "GPL-2.0" | "GPL-3.0" | "LGPL-2.1" | "LGPL-3.0" | "MPL-2.0" | "ISC" | "BSL-1.1" | "SSPL-1.0" | "Unlicense" | "AGPL-3.0" | "UNKNOWN";
+/**
+ * Detect license type from raw license file text.
+ */
+export declare function detectLicenseFromText(text: string): LicenseId;
+/**
+ * Normalize a license SPDX identifier from package metadata.
+ */
+export declare function normalizeSpdx(raw: string): LicenseId;

package/dist/core/detector.js

@@ -0,0 +1,104 @@
+/**
+ * License text fingerprinting — identifies license type from file content.
+ */
+const FINGERPRINTS = [
+    {
+        id: "MIT",
+        markers: ["permission is hereby granted, free of charge", "the software is provided \"as is\""],
+        antiMarkers: ["apache", "gnu general public"],
+    },
+    {
+        id: "Apache-2.0",
+        markers: ["apache license", "version 2.0"],
+    },
+    {
+        id: "GPL-3.0",
+        markers: ["gnu general public license", "version 3"],
+        antiMarkers: ["lesser general public"],
+    },
+    {
+        id: "GPL-2.0",
+        markers: ["gnu general public license", "version 2"],
+        antiMarkers: ["lesser general public", "version 3"],
+    },
+    {
+        id: "LGPL-3.0",
+        markers: ["gnu lesser general public license", "version 3"],
+    },
+    {
+        id: "LGPL-2.1",
+        markers: ["gnu lesser general public license", "version 2.1"],
+    },
+    {
+        id: "AGPL-3.0",
+        markers: ["gnu affero general public license", "version 3"],
+    },
+    {
+        id: "BSD-3-Clause",
+        markers: ["redistribution and use in source and binary forms", "neither the name"],
+    },
+    {
+        id: "BSD-2-Clause",
+        markers: ["redistribution and use in source and binary forms"],
+        antiMarkers: ["neither the name"],
+    },
+    {
+        id: "MPL-2.0",
+        markers: ["mozilla public license", "version 2.0"],
+    },
+    {
+        id: "ISC",
+        markers: ["isc license", "permission to use, copy, modify"],
+    },
+    {
+        id: "BSL-1.1",
+        markers: ["business source license", "1.1"],
+    },
+    {
+        id: "SSPL-1.0",
+        markers: ["server side public license"],
+    },
+    {
+        id: "Unlicense",
+        markers: ["this is free and unencumbered software released into the public domain"],
+    },
+];
+/**
+ * Detect license type from raw license file text.
+ */
+export function detectLicenseFromText(text) {
+    const lower = text.toLowerCase();
+    for (const fp of FINGERPRINTS) {
+        const allMatch = fp.markers.every((m) => lower.includes(m));
+        const anyAnti = fp.antiMarkers?.some((m) => lower.includes(m)) ?? false;
+        if (allMatch && !anyAnti)
+            return fp.id;
+    }
+    return "UNKNOWN";
+}
+/**
+ * Normalize a license SPDX identifier from package metadata.
+ */
+export function normalizeSpdx(raw) {
+    const map = {
+        mit: "MIT",
+        "apache-2.0": "Apache-2.0",
+        apache2: "Apache-2.0",
+        "bsd-2-clause": "BSD-2-Clause",
+        "bsd-3-clause": "BSD-3-Clause",
+        "gpl-2.0": "GPL-2.0",
+        "gpl-3.0": "GPL-3.0",
+        "gpl-3.0-only": "GPL-3.0",
+        "lgpl-2.1": "LGPL-2.1",
+        "lgpl-3.0": "LGPL-3.0",
+        "mpl-2.0": "MPL-2.0",
+        isc: "ISC",
+        "bsl-1.1": "BSL-1.1",
+        "sspl-1.0": "SSPL-1.0",
+        unlicense: "Unlicense",
+        "agpl-3.0": "AGPL-3.0",
+        "agpl-3.0-only": "AGPL-3.0",
+    };
+    return map[raw.toLowerCase().trim()] ?? "UNKNOWN";
+}
+//# sourceMappingURL=detector.js.map

package/dist/core/detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector.js","sourceRoot":"","sources":["../../src/core/detector.ts"],"names":[],"mappings":"AAAA;;GAEG;AAyBH,MAAM,YAAY,GAAkB;IAClC;QACE,EAAE,EAAE,KAAK;QACT,OAAO,EAAE,CAAC,8CAA8C,EAAE,oCAAoC,CAAC;QAC/F,WAAW,EAAE,CAAC,QAAQ,EAAE,oBAAoB,CAAC;KAC9C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,OAAO,EAAE,CAAC,gBAAgB,EAAE,aAAa,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,4BAA4B,EAAE,WAAW,CAAC;QACpD,WAAW,EAAE,CAAC,uBAAuB,CAAC;KACvC;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,4BAA4B,EAAE,WAAW,CAAC;QACpD,WAAW,EAAE,CAAC,uBAAuB,EAAE,WAAW,CAAC;KACpD;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,mCAAmC,EAAE,WAAW,CAAC;KAC5D;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,mCAAmC,EAAE,aAAa,CAAC;KAC9D;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,mCAAmC,EAAE,WAAW,CAAC;KAC5D;IACD;QACE,EAAE,EAAE,cAAc;QAClB,OAAO,EAAE,CAAC,mDAAmD,EAAE,kBAAkB,CAAC;KACnF;IACD;QACE,EAAE,EAAE,cAAc;QAClB,OAAO,EAAE,CAAC,mDAAmD,CAAC;QAC9D,WAAW,EAAE,CAAC,kBAAkB,CAAC;KAClC;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,wBAAwB,EAAE,aAAa,CAAC;KACnD;IACD;QACE,EAAE,EAAE,KAAK;QACT,OAAO,EAAE,CAAC,aAAa,EAAE,iCAAiC,CAAC;KAC5D;IACD;QACE,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,CAAC,yBAAyB,EAAE,KAAK,CAAC;KAC5C;IACD;QACE,EAAE,EAAE,UAAU;QACd,OAAO,EAAE,CAAC,4BAA4B,CAAC;KACxC;IACD;QACE,EAAE,EAAE,WAAW;QACf,OAAO,EAAE,CAAC,wEAAwE,CAAC;KACpF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAEjC,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5D,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;QACxE,IAAI,QAAQ,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IACzC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,GAAG,GAA8B;QACrC,GAAG,EAAE,KAAK;QACV,YAAY,EAAE,YAAY;QAC1B,OAAO,EAAE,YAAY;QACrB,cAAc,EAAE,cAAc;QAC9B,cAAc,EAAE,cAAc;QAC9B,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,SAAS;QACpB,cAAc,EAAE,SAAS;QACzB,UAAU,EAAE,UAAU;QACtB,UAAU,EAAE,UAAU;QACtB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,KAAK;QACV,SAAS,EAAE,SAAS;QACpB,UAAU,EAAE,UAAU;QACtB,SAAS,EAAE,WAAW;QACtB,UAAU,EAAE,UAAU;QACtB,eAAe,EAAE,UAAU;KAC5B,CAAC;IACF,OAAO,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC,IAAI,SAAS,CAAC;AACpD,CAAC"}

package/dist/core/index.d.ts

@@ -0,0 +1,4 @@
+export { detectLicenseFromText, normalizeSpdx, type LicenseId } from "./detector.js";
+export { readLedger, writeLedger, createEmptyLedger, findEntry, upsertEntry, archiveSnapshot, hasLicenseChanged, addAlert, type Ledger, type LedgerEntry, type Alert, type DependencyType, type DependencyStatus } from "./ledger.js";
+export { scanAll, scanAndUpdate, gateCheck, findLicenseFile, readLicenseFromDir, type ScanResult } from "./scanner.js";
+export { formatScanReport, formatGateOutput, formatLedgerReport, generateDashboardHtml, generateBadgeUrl, writeDashboard } from "./reporter.js";

package/dist/core/index.js

@@ -0,0 +1,5 @@
+export { detectLicenseFromText, normalizeSpdx } from "./detector.js";
+export { readLedger, writeLedger, createEmptyLedger, findEntry, upsertEntry, archiveSnapshot, hasLicenseChanged, addAlert } from "./ledger.js";
+export { scanAll, scanAndUpdate, gateCheck, findLicenseFile, readLicenseFromDir } from "./scanner.js";
+export { formatScanReport, formatGateOutput, formatLedgerReport, generateDashboardHtml, generateBadgeUrl, writeDashboard } from "./reporter.js";
+//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAkB,MAAM,eAAe,CAAC;AACrF,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,iBAAiB,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,iBAAiB,EAAE,QAAQ,EAAyF,MAAM,aAAa,CAAC;AACtO,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,eAAe,EAAE,kBAAkB,EAAmB,MAAM,cAAc,CAAC;AACvH,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC"}

package/dist/core/ledger.d.ts

@@ -0,0 +1,49 @@
+/**
+ * License ledger — read/write/compare LICENSE-LEDGER.json + snapshot archiving.
+ */
+import type { LicenseId } from "./detector.js";
+export type DependencyStatus = "clean" | "changed" | "removed" | "unknown";
+export type DependencyType = "fork" | "npm" | "pip" | "cargo" | "go";
+export interface LedgerEntry {
+    name: string;
+    source: string;
+    type: DependencyType;
+    license_at_adoption: LicenseId;
+    license_current: LicenseId;
+    adopted_date: string;
+    last_checked: string;
+    commit_at_adoption?: string;
+    status: DependencyStatus;
+}
+export interface Alert {
+    dependency: string;
+    from: LicenseId;
+    to: LicenseId;
+    detected: string;
+    message: string;
+}
+export interface Ledger {
+    version: 1;
+    dependencies: LedgerEntry[];
+    last_full_scan: string | null;
+    alerts: Alert[];
+}
+export declare function ledgerPath(repoRoot: string): string;
+export declare function createEmptyLedger(): Ledger;
+export declare function readLedger(repoRoot: string): Ledger;
+export declare function writeLedger(repoRoot: string, ledger: Ledger): void;
+export declare function findEntry(ledger: Ledger, name: string): LedgerEntry | undefined;
+export declare function upsertEntry(ledger: Ledger, entry: LedgerEntry): void;
+/**
+ * Archive a LICENSE file snapshot for a dependency.
+ */
+export declare function archiveSnapshot(repoRoot: string, depName: string, licenseContent: string, date?: string): string;
+/**
+ * Compare an entry's current license against its adoption license.
+ * Returns true if changed.
+ */
+export declare function hasLicenseChanged(entry: LedgerEntry): boolean;
+/**
+ * Add an alert to the ledger.
+ */
+export declare function addAlert(ledger: Ledger, dep: string, from: LicenseId, to: LicenseId): void;