npm - arkaos - Versions diffs - 2.0.0 → 2.0.2 - Mend

arkaos 2.0.0 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (109) hide show

package/departments/dev/skills/ci-cd-pipeline/references/github-actions-patterns.md ADDED Viewed

@@ -0,0 +1,202 @@
+# GitHub Actions Best Practices — Deep Reference
+> Companion to `ci-cd-pipeline/SKILL.md`. Patterns, pitfalls, and production-ready snippets.
+## Caching Strategies by Ecosystem
+| Ecosystem | Action | Cache Key | Cache Path | Restore Key Fallback |
+|-----------|--------|-----------|------------|---------------------|
+| Node (npm) | `actions/setup-node@v4` | `node-${{ runner.os }}-${{ hashFiles('package-lock.json') }}` | `~/.npm` | `node-${{ runner.os }}-` |
+| Node (pnpm) | `pnpm/action-setup@v4` | `pnpm-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}` | `~/.pnpm-store` | `pnpm-${{ runner.os }}-` |
+| Node (yarn) | `actions/setup-node@v4` | `yarn-${{ runner.os }}-${{ hashFiles('yarn.lock') }}` | `~/.yarn/cache` | `yarn-${{ runner.os }}-` |
+| PHP | `shivammathur/setup-php@v2` | `php-${{ runner.os }}-${{ hashFiles('composer.lock') }}` | `vendor/` | `php-${{ runner.os }}-` |
+| Python | `actions/setup-python@v5` | `pip-${{ runner.os }}-${{ hashFiles('requirements*.txt') }}` | `~/.cache/pip` | `pip-${{ runner.os }}-` |
+| Go | `actions/setup-go@v5` | `go-${{ runner.os }}-${{ hashFiles('go.sum') }}` | `~/go/pkg/mod` | `go-${{ runner.os }}-` |
+| Rust | `actions/cache@v4` | `cargo-${{ runner.os }}-${{ hashFiles('Cargo.lock') }}` | `~/.cargo/registry, target/` | `cargo-${{ runner.os }}-` |
+| Docker | `docker/build-push-action@v5` | Registry cache or `actions/cache` | `/tmp/.buildx-cache` | Use `mode=max` for layer reuse |
+### Cache Size Limits
+- Max 10 GB per repository (LRU eviction after 7 days unused)
+- Single cache entry max: 10 GB
+- If builds are slow, check cache hit rate in Actions UI
+## Matrix Builds
+### When to Use Matrix
+| Situation | Matrix? | Why |
+|-----------|---------|-----|
+| Library supporting multiple runtimes | Yes | Must verify compatibility |
+| Application with fixed runtime | No | One version in production, test that |
+| Cross-platform CLI tool | Yes | OS-specific behavior matters |
+| PR from feature branch | Minimal | Full matrix on main only (saves minutes) |
+### Smart Matrix Pattern
+```yaml
+strategy:
+  fail-fast: true
+  matrix:
+    include:
+      - os: ubuntu-latest
+        node: 20
+        full-suite: true      # Only run slow tests on primary
+      - os: ubuntu-latest
+        node: 18
+        full-suite: false
+      - os: windows-latest
+        node: 20
+        full-suite: false
+```
+### Conditional Matrix Expansion
+```yaml
+# Full matrix on main, minimal on PRs
+jobs:
+  test:
+    strategy:
+      matrix:
+        node: ${{ github.ref == 'refs/heads/main' && fromJson('[18, 20, 22]') || fromJson('[20]') }}
+```
+## Reusable Workflows
+### When to Extract
+- Same CI logic in 3+ repositories
+- Org-wide policy (security scanning, deployment gates)
+- Shared infrastructure steps (Docker build, cloud deploy)
+### Caller Pattern
+```yaml
+# .github/workflows/ci.yml (caller)
+jobs:
+  ci:
+    uses: org/shared-workflows/.github/workflows/node-ci.yml@v1
+    with:
+      node-version: 20
+      run-e2e: true
+    secrets:
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+### Versioning Reusable Workflows
+| Strategy | Stability | Flexibility |
+|----------|-----------|------------|
+| `@v1` (major tag) | High | Auto-get patches |
+| `@v1.2.3` (exact) | Highest | Must bump manually |
+| `@main` | Low | Always latest (dangerous) |
+| `@sha` | Highest | Immutable, hard to read |
+**Recommendation:** Use `@v1` (major tag), pin to SHA in security-critical pipelines.
+## Secret Management
+### Secret Scoping
+| Scope | Access | Use Case |
+|-------|--------|----------|
+| Repository secret | This repo only | App-specific keys |
+| Environment secret | Gated by environment rules | Production credentials |
+| Organization secret | All/selected repos | Shared registry tokens |
+### Secret Hygiene Checklist
+- [ ] Never echo secrets in logs (`add-mask` for dynamic values)
+- [ ] Use environment protection rules for production secrets
+- [ ] Rotate secrets on a schedule (90 days max)
+- [ ] Scope secrets to specific environments, not repo-wide
+- [ ] Use OIDC instead of long-lived credentials for cloud providers
+### OIDC for Cloud Providers (No Stored Secrets)
+```yaml
+permissions:
+  id-token: write
+  contents: read
+steps:
+  - uses: aws-actions/configure-aws-credentials@v4
+    with:
+      role-to-assume: arn:aws:iam::123456789:role/deploy
+      aws-region: eu-west-1
+```
+Supported: AWS, GCP, Azure, HashiCorp Vault, Cloudflare.
+## Deployment Environments
+### Environment Protection Rules
+| Rule | Purpose | When |
+|------|---------|------|
+| Required reviewers | Human approval gate | Production deploys |
+| Wait timer | Cooldown between stages | Canary + production |
+| Branch restriction | Only main can deploy | Prevent feature-branch deploys |
+| Custom deployment rules | Third-party gates (Datadog, PagerDuty) | Status checks before deploy |
+### Deployment Strategy Pattern
+```yaml
+deploy-staging:
+  environment: staging
+  needs: [test, build]
+  # Auto-deploy, no approval needed
+deploy-production:
+  environment: production   # Has required reviewers
+  needs: deploy-staging
+  if: github.ref == 'refs/heads/main'
+```
+## Common Pitfalls and Fixes
+| Pitfall | Impact | Fix |
+|---------|--------|-----|
+| `actions/checkout` without `fetch-depth: 0` | Shallow clone breaks git history tools | Set `fetch-depth: 0` for changelog/versioning |
+| Cache key without OS prefix | Cross-OS cache corruption | Always include `runner.os` in key |
+| `pull_request_target` with checkout of PR code | Critical security: runs with write access on untrusted code | Use `pull_request` event instead |
+| No `concurrency` group | Parallel deploys to same environment | Add `concurrency: { group: deploy-${{ github.ref }} }` |
+| Artifact upload without retention | Storage bloat, hitting limits | Set `retention-days: 7` (or less) |
+| `continue-on-error: true` hiding failures | Silent breakage | Use only for optional/informational steps |
+| Running on `push` to all branches | Wasted minutes | Restrict to `main`, `develop`, use `pull_request` for branches |
+| Hardcoded action versions (`@master`) | Breaking changes without notice | Pin to `@v1` or SHA |
+## Workflow Performance Optimization
+| Technique | Savings | Complexity |
+|-----------|---------|------------|
+| Dependency caching | 30-60% of install time | Low |
+| Path-based triggers | Skip irrelevant jobs | Low |
+| Parallel jobs (no `needs`) | Total time = slowest job | Low |
+| Larger runners (org-hosted) | 2-4x faster builds | Medium |
+| Docker layer caching | 50-80% of build time | Medium |
+| Composite actions for shared steps | DRY, faster authoring | Medium |
+| Self-hosted runners | No queue wait, persistent cache | High |
+### Path-Based Triggers
+```yaml
+on:
+  push:
+    paths:
+      - 'src/**'
+      - 'tests/**'
+      - 'package.json'
+    paths-ignore:
+      - 'docs/**'
+      - '*.md'
+```
+## Security Hardening
+- [ ] Pin all third-party actions to full SHA (not tag)
+- [ ] Use `permissions` block with minimal scopes
+- [ ] Never use `pull_request_target` with PR code checkout
+- [ ] Enable `CODEOWNERS` for `.github/workflows/`
+- [ ] Audit third-party actions before adoption
+- [ ] Use `concurrency` to prevent parallel deploys

package/departments/dev/skills/db-schema/SKILL.md CHANGED Viewed

@@ -128,3 +128,7 @@ Surface these issues WITHOUT being asked:
 ### ERD
 <Mermaid diagram>
 ```
+## References
+- [indexing-strategy.md](references/indexing-strategy.md) — B-tree vs hash vs GIN vs GiST, composite index ordering, partial indexes, covering indexes, EXPLAIN ANALYZE interpretation

package/departments/dev/skills/db-schema/references/indexing-strategy.md ADDED Viewed

@@ -0,0 +1,197 @@
+# Database Indexing Strategy — Deep Reference
+> Companion to `db-schema/SKILL.md`. Index types, ordering rules, anti-patterns, and EXPLAIN interpretation.
+## Index Types Comparison
+| Type | Engine | Best For | Not For | Supports |
+|------|--------|----------|---------|----------|
+| **B-tree** | All | Range queries, sorting, equality, LIKE 'prefix%' | Full-text, array containment | `<, <=, =, >=, >, BETWEEN, IN, IS NULL, LIKE 'x%'` |
+| **Hash** | PostgreSQL | Exact equality only | Range, sorting, partial match | `=` only |
+| **GIN** | PostgreSQL | JSONB containment, arrays, full-text | Single-value equality, range | `@>, ?, ?&, ?|, @@, to_tsvector` |
+| **GiST** | PostgreSQL | Geometric, range types, full-text (ranking) | Exact equality at scale | `&&, @>, <@, <<, >>`, nearest-neighbor |
+| **BRIN** | PostgreSQL | Physically ordered data (timestamps, sequences) | Random access, updates | `<, <=, =, >=, >` (block-level) |
+| **Clustered** | MySQL (InnoDB) | Primary key lookups, range scans | Only one per table | Table data physically ordered by PK |
+| **Full-text** | MySQL/PostgreSQL | Natural language search | Exact match, sorting | `MATCH AGAINST` / `@@` |
+## B-tree: The Default Workhorse
+### When B-tree Wins
+- WHERE with `=, <, >, <=, >=, BETWEEN, IN, IS NULL`
+- ORDER BY (avoids sort operation)
+- LIKE with fixed prefix (`LIKE 'abc%'`)
+- GROUP BY on indexed columns
+### When B-tree Loses
+- LIKE with leading wildcard (`LIKE '%abc'`) -- cannot use index
+- Array containment (`@>`) -- use GIN
+- JSON path queries -- use GIN on JSONB
+- Full-text search -- use GIN/GiST with tsvector
+## Composite Index Ordering Rules
+**The Left-Prefix Rule:** A composite index on `(A, B, C)` can serve queries on `(A)`, `(A, B)`, or `(A, B, C)` -- but NOT `(B)`, `(C)`, or `(B, C)`.
+### Column Order Decision Tree
+```
+1. Put equality columns FIRST (WHERE status = 'active')
+2. Put range/inequality column NEXT (WHERE created_at > '2024-01-01')
+3. Put ORDER BY columns LAST (ORDER BY created_at DESC)
+4. Only ONE range column benefits from the index
+```
+### Worked Example
+```sql
+-- Query:
+SELECT * FROM orders
+WHERE org_id = 5 AND status = 'shipped' AND created_at > '2024-01-01'
+ORDER BY created_at DESC;
+-- Optimal index:
+CREATE INDEX idx_orders_lookup ON orders(org_id, status, created_at DESC);
+--          equality(1)  equality(2)  range+sort(3)
+```
+### Common Ordering Mistakes
+| Mistake | Why It Fails | Fix |
+|---------|-------------|-----|
+| Range column before equality | Index scan stops at first range | Equality columns first |
+| ORDER BY column before WHERE | Cannot skip to ORDER BY | WHERE columns first |
+| Too many columns (>4) | Diminishing returns, write overhead | Profile actual queries |
+## Partial Indexes
+Create an index on a subset of rows. Smaller index, faster scans.
+```sql
+-- Only index active records (90% of queries hit active)
+CREATE INDEX idx_tasks_active ON tasks(project_id, priority)
+WHERE deleted_at IS NULL;
+-- Only index unprocessed jobs
+CREATE INDEX idx_jobs_pending ON jobs(queue, created_at)
+WHERE status = 'pending';
+```
+### When to Use Partial Indexes
+| Scenario | Benefit |
+|----------|---------|
+| Soft-deleted tables (query active only) | Index is 10-50% smaller |
+| Status columns (query one status predominantly) | Skip irrelevant rows |
+| Boolean flags (query TRUE only, small % of table) | Dramatic size reduction |
+| Multi-tenant (one tenant is 80% of queries) | Focused index for hot tenant |
+## Covering Indexes (Index-Only Scans)
+Include all columns a query needs so the database never touches the table.
+```sql
+-- PostgreSQL: INCLUDE clause
+CREATE INDEX idx_orders_covering ON orders(customer_id, status)
+INCLUDE (total, created_at);
+-- MySQL: all needed columns in the index
+CREATE INDEX idx_orders_covering ON orders(customer_id, status, total, created_at);
+```
+### Covering Index Checklist
+- [ ] Query SELECT list is fully covered by index
+- [ ] WHERE clause columns are in the index key
+- [ ] ORDER BY columns are in the index key
+- [ ] INCLUDE columns are for SELECT only (not filterable)
+## When NOT to Index
+| Situation | Why |
+|-----------|-----|
+| Table has < 1,000 rows | Full scan is faster than index lookup |
+| Column with < 5 distinct values on large table | Low selectivity, planner ignores index |
+| Write-heavy table with rare reads | Index maintenance cost > read benefit |
+| Columns only used in SELECT (not WHERE/ORDER) | Index does not help (unless covering) |
+| Duplicate of existing composite prefix | `(A, B)` already covers `(A)` queries |
+| Expression not matching index | `WHERE LOWER(email)` does not use index on `email` |
+### Low Selectivity Exception
+If a boolean/status column is in a composite index with a high-selectivity column, it CAN help:
+```sql
+-- Low selectivity alone (useless): INDEX(is_active)
+-- High selectivity in composite (useful): INDEX(org_id, is_active)
+```
+## EXPLAIN ANALYZE Interpretation
+### Key Fields to Check
+| Field | Good | Bad | Action |
+|-------|------|-----|--------|
+| **Seq Scan** | Small tables (<1K rows) | Large tables (>10K rows) | Add index on filter columns |
+| **Index Scan** | Expected on filtered queries | N/A | Ideal for selective queries |
+| **Index Only Scan** | Best case (no table access) | N/A | Covering index working |
+| **Bitmap Heap Scan** | Multiple index conditions | N/A | Normal for OR/multi-index |
+| **Sort** | Small result set | `Sort Method: external merge` | Add ORDER BY to index |
+| **Hash Join** | Equal-size tables | Huge hash table (memory) | Check join column indexes |
+| **Nested Loop** | Small outer, indexed inner | Large outer without index | Add index on inner join column |
+| **Rows** (estimated vs actual) | Close match | 10x+ difference | Run ANALYZE, check statistics |
+### Reading EXPLAIN Output
+```
+Execution time breakdown:
+- actual time=X..Y    X = time to first row, Y = time to all rows
+- rows=N              Actual rows returned by this node
+- loops=N             How many times this node executed
+- Buffers: shared hit Reads from cache (good)
+- Buffers: shared read Reads from disk (slow)
+```
+### Red Flags in EXPLAIN
+| Pattern | Problem | Fix |
+|---------|---------|-----|
+| `Seq Scan` on table > 10K rows | Missing index | Add index on WHERE columns |
+| `Sort Method: external merge Disk` | Sort spills to disk | Increase `work_mem` or add index |
+| `Rows Removed by Filter: 99000` (of 100K) | Non-selective scan | Add partial index or composite |
+| `actual rows=100000` vs `rows=1` | Stale statistics | `ANALYZE table_name` |
+| `Nested Loop` with `Seq Scan` inner | Missing join index | Index inner table's join column |
+## Index Maintenance
+### Regular Tasks
+| Task | Frequency | Command (PostgreSQL) |
+|------|-----------|---------------------|
+| Check bloat | Weekly | `SELECT * FROM pg_stat_user_indexes WHERE idx_scan = 0` |
+| Remove unused indexes | Monthly | Drop indexes with 0 scans over 30+ days |
+| Reindex bloated indexes | Quarterly | `REINDEX INDEX CONCURRENTLY idx_name` |
+| Update statistics | After bulk loads | `ANALYZE table_name` |
+| Check index size vs table | Quarterly | Total index size should be < 2x table size |
+### Identifying Unused Indexes
+```sql
+SELECT schemaname, relname, indexrelname, idx_scan, pg_size_pretty(pg_relation_size(indexrelid))
+FROM pg_stat_user_indexes
+WHERE idx_scan = 0 AND indexrelid NOT IN (
+    SELECT conindid FROM pg_constraint WHERE contype IN ('p', 'u')
+)
+ORDER BY pg_relation_size(indexrelid) DESC;
+```
+## MySQL vs PostgreSQL Index Differences
+| Feature | PostgreSQL | MySQL (InnoDB) |
+|---------|-----------|---------------|
+| Covering indexes | INCLUDE clause | All columns in index key |
+| Partial indexes | Yes (WHERE clause) | No native support |
+| Expression indexes | Yes (`CREATE INDEX ON (LOWER(email))`) | Generated columns + index |
+| GIN/GiST | Yes | No |
+| BRIN | Yes | No |
+| Clustered index | Optional (CLUSTER) | Always on PK (mandatory) |
+| Index-only scan | Requires recent VACUUM | Automatic via clustered index |
+| Concurrent creation | `CREATE INDEX CONCURRENTLY` | `ALGORITHM=INPLACE` (limited) |

package/departments/dev/skills/dependency-audit/SKILL.md CHANGED Viewed

@@ -116,3 +116,7 @@ Surface these issues WITHOUT being asked:
 - Outdated: {count} ({major} major updates pending)
 - Recommendation: {SAFE TO DEPLOY | FIX BEFORE DEPLOY | BLOCK DEPLOY}
 ```
+## References
+- [license-matrix.md](references/license-matrix.md) — Open source license compatibility matrix, copyleft obligations, commercial use implications, and dual-licensing strategies

package/departments/dev/skills/dependency-audit/references/license-matrix.md ADDED Viewed

@@ -0,0 +1,191 @@
+# Open Source License Compatibility Matrix — Deep Reference
+> Companion to `dependency-audit/SKILL.md`. License obligations, compatibility rules, and commercial implications.
+## License Classification
+| License | Type | OSI Approved | Copyleft Strength |
+|---------|------|-------------|-------------------|
+| MIT | Permissive | Yes | None |
+| ISC | Permissive | Yes | None |
+| BSD-2-Clause | Permissive | Yes | None |
+| BSD-3-Clause | Permissive | Yes | None |
+| Apache-2.0 | Permissive | Yes | None (patent grant) |
+| MPL-2.0 | Weak copyleft | Yes | File-level |
+| LGPL-2.1 | Weak copyleft | Yes | Library-level |
+| LGPL-3.0 | Weak copyleft | Yes | Library-level |
+| GPL-2.0 | Strong copyleft | Yes | Entire work |
+| GPL-3.0 | Strong copyleft | Yes | Entire work |
+| AGPL-3.0 | Network copyleft | Yes | Entire work + network use |
+| SSPL | Source-available | No | Entire service stack |
+| BSL 1.1 | Source-available | No | Time-delayed open source |
+| Proprietary | Proprietary | No | Full restriction |
+## Compatibility Matrix
+Can you combine code under these licenses in the SAME project?
+| Dependency License | Your Project: MIT | Your Project: Apache-2.0 | Your Project: GPL-3.0 | Your Project: Proprietary |
+|-------------------|:-:|:-:|:-:|:-:|
+| MIT | OK | OK | OK | OK |
+| BSD-2/3 | OK | OK | OK | OK |
+| Apache-2.0 | OK | OK | OK | OK |
+| MPL-2.0 | OK (keep MPL files) | OK (keep MPL files) | OK | OK (keep MPL files) |
+| LGPL-2.1/3.0 | OK (dynamic link) | OK (dynamic link) | OK | OK (dynamic link only) |
+| GPL-2.0 | NO | NO | OK (if "or later") | NO |
+| GPL-3.0 | NO | NO | OK | NO |
+| AGPL-3.0 | NO | NO | OK (becomes AGPL) | NO |
+**Key:** OK = compatible. NO = license violation.
+## Obligations by License
+### Permissive Licenses (MIT, BSD, ISC, Apache-2.0)
+| Obligation | MIT | BSD-2 | BSD-3 | Apache-2.0 |
+|------------|:---:|:-----:|:-----:|:----------:|
+| Include copyright notice | Yes | Yes | Yes | Yes |
+| Include license text | Yes | Yes | Yes | Yes |
+| State changes | No | No | No | Yes |
+| Patent grant | No | No | No | Yes |
+| No endorsement clause | No | No | Yes | No |
+| NOTICE file preservation | No | No | No | Yes |
+### Copyleft Licenses (MPL, LGPL, GPL, AGPL)
+| Obligation | MPL-2.0 | LGPL-3.0 | GPL-3.0 | AGPL-3.0 |
+|------------|:-------:|:--------:|:-------:|:--------:|
+| Source code of modified files | Yes | Yes | Yes | Yes |
+| Source code of entire work | No | No | Yes | Yes |
+| Network use triggers copyleft | No | No | No | Yes |
+| Allow reverse engineering | No | Yes | Yes | Yes |
+| Provide installation info | No | No | Yes | Yes |
+| Anti-tivoization clause | No | No | Yes | Yes |
+## Commercial Use Decision Tree
+```
+START: Is the dependency's license identified?
+  NO  --> STOP. Do not use. Unknown license = all rights reserved.
+  YES --> Is it permissive (MIT, BSD, ISC, Apache)?
+    YES --> SAFE for commercial use. Include attribution.
+    NO  --> Is it weak copyleft (MPL, LGPL)?
+      YES --> SAFE if:
+        MPL: Keep modified MPL files open-source
+        LGPL: Dynamic linking only (no static linking in proprietary)
+      NO  --> Is it strong copyleft (GPL)?
+        YES --> NOT SAFE for proprietary. Your entire project becomes GPL.
+               Exception: GPL with Classpath Exception (like OpenJDK)
+        NO  --> Is it network copyleft (AGPL)?
+          YES --> NOT SAFE. Even SaaS use triggers copyleft.
+          NO  --> Is it source-available (SSPL, BSL)?
+            YES --> Review specific terms. Usually NOT safe for competing services.
+            NO  --> Legal review required.
+```
+## Common Ecosystem License Risks
+### Node.js (npm)
+| Risk Pattern | Example | Action |
+|-------------|---------|--------|
+| Transitive GPL dependency | `node-sass` (deprecated, had GPL deps) | Audit full tree with `license-checker` |
+| License field missing in package.json | Small utilities | Check source repo manually |
+| "SEE LICENSE IN" custom file | Some enterprise libs | Read the actual file |
+| Dual license with one GPL option | Some databases | Verify you are using the permissive option |
+### PHP (Composer)
+| Risk Pattern | Example | Action |
+|-------------|---------|--------|
+| Laravel itself is MIT | Framework code | Safe |
+| Packages wrapping GPL tools | ImageMagick bindings | Check if wrapper license differs from tool |
+| WordPress ecosystem (GPL-2.0+) | Themes, plugins | All derivatives must be GPL |
+### Python (pip)
+| Risk Pattern | Example | Action |
+|-------------|---------|--------|
+| PSF license (Python itself) | Standard lib | Safe, permissive |
+| LGPL in scientific computing | Some NumPy deps historically | Dynamic linking usually fine |
+| GPL in CLI tools used via subprocess | `pandoc` (GPL) | Subprocess call != linking (generally safe) |
+## Dual Licensing Strategies
+| Strategy | How It Works | Example |
+|----------|-------------|---------|
+| Open core | AGPL for community, proprietary for enterprise | MongoDB (was AGPL, now SSPL) |
+| GPL + commercial | GPL for open use, paid license for proprietary embedding | MySQL, Qt |
+| MIT + paid support | MIT code, paid for SLA/support/features | Many SaaS tools |
+| BSL time-delay | Source-available now, becomes open source after N years | CockroachDB, Sentry |
+## License Audit Automation
+### npm
+```bash
+# List all licenses
+npx license-checker --summary
+# Fail CI on copyleft
+npx license-checker --failOn "GPL-2.0;GPL-3.0;AGPL-3.0"
+# Export for legal review
+npx license-checker --csv --out licenses.csv
+```
+### Composer (PHP)
+```bash
+# List licenses
+composer licenses
+# Detailed with dependencies
+composer licenses --format=json
+```
+### pip (Python)
+```bash
+pip-licenses --format=table --with-urls
+pip-licenses --fail-on="GPL-2.0;GPL-3.0;AGPL-3.0"
+```
+## License Change Risks
+| Event | Risk | Action |
+|-------|------|--------|
+| Maintainer relicenses (MIT -> BSL) | Future versions restricted | Pin to last MIT version |
+| CLA-based project changes license | All contributor code affected | Monitor project governance |
+| Acquisition changes license | New owner may restrict | Evaluate fork options |
+| License removed from package | Defaults to all-rights-reserved | Contact maintainer, find alternative |
+### Notable License Changes (Precedents)
+| Project | From | To | Year | Impact |
+|---------|------|----|------|--------|
+| Elasticsearch | Apache-2.0 | SSPL | 2021 | AWS forked as OpenSearch |
+| Redis modules | BSD | SSPL | 2024 | Community forks (Valkey) |
+| HashiCorp (Terraform) | MPL-2.0 | BSL 1.1 | 2023 | OpenTofu fork |
+| MongoDB | AGPL-3.0 | SSPL | 2018 | Cloud providers stopped offering |
+## NOTICE File Template
+When using Apache-2.0 licensed code, preserve and extend the NOTICE file:
+```
+This product includes software developed by [Original Author].
+Licensed under the Apache License, Version 2.0.
+Modifications by [Your Company], [Year].
+```
+## Quick Reference: "Can I Use This?"
+| Your Project Type | Safe Licenses | Caution | Blocked |
+|-------------------|--------------|---------|---------|
+| Proprietary SaaS | MIT, BSD, ISC, Apache-2.0 | MPL, LGPL (check linking) | GPL, AGPL, SSPL |
+| Proprietary desktop app | MIT, BSD, ISC, Apache-2.0 | LGPL (dynamic link only) | GPL, AGPL |
+| Open source (MIT) | MIT, BSD, ISC, Apache-2.0 | MPL | GPL, AGPL (would change your license) |
+| Open source (GPL-3.0) | All OSI-approved | SSPL, BSL | Proprietary, GPL-2.0-only |
+| Internal tool (never distributed) | All (copyleft not triggered) | AGPL (network use triggers) | SSPL (service use triggers) |

package/departments/dev/skills/incident/SKILL.md CHANGED Viewed

@@ -123,3 +123,7 @@ Surface these issues WITHOUT being asked:
 1. [Key takeaway]
 2. [Key takeaway]
 ```
+## References
+- [severity-playbook.md](references/severity-playbook.md) — SEV1-4 definitions, escalation paths, communication templates, and PIR checklist