licenseguard-cli 1.2.2 → 2.0.0

package/LICENSE

@@ -1,7 +1,7 @@
 MIT License
 
-Copyright (c) 2025 rfxlamia
-github.com/rfxlamia/licenseguard
+Copyright (c) 2025 v
+
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,66 +1,134 @@
 # LicenseGuard
 
-[![npm version](https://badge.fury.io/js/licenseguard-cli.svg)](https://badge.fury.io/js/licenseguard-cli)
-[![Build Status](https://github.com/your-username/licenseguard/workflows/Test/badge.svg)](https://github.com/your-username/licenseguard/actions)
-[![Coverage Status](https://codecov.io/gh/your-username/licenseguard/branch/main/graph/badge.svg)](https://codecov.io/gh/your-username/licenseguard)
+[![npm version](https://badge.fury.io/js/licenseguard-cli.svg)](https://www.npmjs.com/package/licenseguard-cli)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-**License setup & compliance helper for developers**
+> License setup & compliance guard for developers
 
-LicenseGuard is a CLI tool that helps you quickly set up open source licenses for your projects with automatic git hooks that notify your team about licensing requirements.
+LicenseGuard helps you set up open source licenses and protects your project from license conflicts. It scans your dependencies for incompatible licenses and automatically notifies developers about licensing requirements - works with any language (Node.js, Python, Rust, Go, etc.).
+
+## Key Features
+
+- **Dependency Scanning** - Scans npm dependencies for license conflicts during setup
+- **Conflict Detection** - Detects incompatible licenses (e.g., GPL vs MIT) and blocks creation
+- **SPDX Compatibility** - Industry-standard license compatibility checking
+- **Scan Results** - Save scan results to `.licenseguardrc` for transparency
+- **Automatic Notifications** - See license info immediately after `git clone`
+- **Zero Effort** - Global hooks install once, work forever
+- **Language Agnostic** - Works for Python, Rust, Go, Ruby, any project
+- **Offline** - All license templates bundled, no internet required
+
+---
 
 ## Quick Start
 
+### For Developers (One-time Setup)
+
 ```bash
-# Step 1: Run the interactive setup
-npx licenseguard-cli --init
+npm install -g licenseguard-cli
+```
+
+That's it! Now every time you clone a repo with `.licenseguardrc`, you'll see:
+
+```bash
+git clone https://github.com/some/project
+# 📜 This project uses MIT License by ProjectOwner
+```
+
+### For Project Owners
+
+```bash
+cd your-project
+licenseguard init
+```
 
-# Step 2: Answer the prompts (license type, owner name, year)
+Follow the prompts, then commit:
 
-# Step 3: Done! Your LICENSE file and git hooks are ready
+```bash
+git add LICENSE .licenseguardrc
+git commit -m "Add license"
+git push
 ```
 
-That's it! Your project now has:
-- A properly formatted LICENSE file
-- A `.licenseguardrc` configuration file
-- Git hooks that display license reminders (optional)
+Anyone who has LicenseGuard installed globally will now see your license info when they clone.
+
+---
+
+## How It Works
+
+### Automatic Global Hooks
+
+When you install LicenseGuard globally, it automatically:
+
+1. Creates git template directory at `~/.git-templates/hooks/`
+2. Installs self-contained hooks (only needs Node.js, not LicenseGuard)
+3. Configures git: `git config --global init.templateDir ~/.git-templates`
+
+Now **every** `git clone` or `git init` copies these hooks automatically.
 
-## Installation
+The hooks check for `.licenseguardrc` and display license info if found:
 
-### Using npx (Recommended)
 ```bash
-npx licenseguard-cli --init
+git clone <any-repo>
+# If .licenseguardrc exists:
+# 📜 This project uses MIT License by OwnerName
+
+git checkout feature-branch
+# 📜 This project uses MIT License by OwnerName
+
+git commit -m "changes"
+# ℹ️  Reminder: This project is licensed under MIT
 ```
 
-### Global Installation
+---
+
+## Installation Options
+
+### Global (Recommended)
+
 ```bash
 npm install -g licenseguard-cli
-licenseguard --init
 ```
 
-### Local Installation
+Enables automatic license notifications for all git operations.
+
+### Using npx (No install)
+
 ```bash
-npm install --save-dev licenseguard-cli
-npx licenseguard-cli --init
+npx licenseguard-cli init
 ```
 
-## Usage
+One-time use without global install (no automatic notifications).
 
-### Interactive Setup (`--init`)
+### Local Development Dependency
 
 ```bash
-licenseguard --init
+npm install --save-dev licenseguard-cli
 ```
 
-This command guides you through:
-1. Selecting a license type
-2. Entering your copyright owner name
-3. Setting the copyright year (defaults to current year)
-4. Adding a project URL (optional)
-5. Optionally initializing git if not already a repo
-6. Installing git hooks for license notifications
+For use in npm scripts (see Advanced Usage).
+
+---
+
+## Commands
 
-**Example Output:**
+### `init` - Interactive Setup
+
+```bash
+licenseguard init
+```
+
+Guides you through:
+1. Selecting license type (MIT, Apache 2.0, GPL 3.0, etc.)
+2. Copyright owner name
+3. Copyright year (defaults to current)
+4. Project URL (optional)
+5. Dependency scanning for license conflicts
+6. Option to save scan results
+7. Git initialization (if needed)
+8. Git hooks installation
+
+Example (with clean dependencies):
 ```
 📜 LicenseGuard - Interactive License Setup
 
@@ -69,46 +137,91 @@ This command guides you through:
 ? Copyright year: 2025
 ? Project URL (optional): https://github.com/you/project
 
+🔍 Scanning dependencies for license conflicts...
+
+✓ Scan complete - 150 dependencies checked
+  ✓ 150 compatible
+  ✓ 0 incompatible
+  ✓ 0 unknown
+
+? Save scan results to .licenseguardrc? Yes
+
 ✓ LICENSE file created
+✓ Scan results saved to .licenseguardrc
 ✓ Configuration saved to .licenseguardrc
 ✓ Git hooks installed
 
 📄 Your project is now licensed under MIT
 ```
 
-### Fast Setup (`--init-fast`)
+Example (with conflicts):
+```
+🔍 Scanning dependencies for license conflicts...
+
+✗ Scan complete - 150 dependencies checked
+  ✓ 147 compatible
+  ❌ 2 incompatible
+  ⚠️ 1 unknown
+
+⚠️ CONFLICTS DETECTED:
+
+❌ some-gpl-lib@2.0.0 (GPL-3.0)
+   Conflict: Copyleft incompatible with MIT
+   Location: node_modules/some-gpl-lib/package.json
+
+✗ LICENSE NOT created due to license conflicts.
+
+Fix conflicts or use --force to proceed anyway:
+  licenseguard init --force
+```
+
+**Flags:**
+- `--force` - Create LICENSE despite conflicts (shows warnings)
+- `--noscan` - Skip dependency scanning
+
+### `init --fast` - Non-Interactive Setup
 
 ```bash
-licenseguard --init-fast --license mit --owner "Your Name"
+licenseguard init --fast --license mit --owner "Your Name"
 ```
 
-Non-interactive setup with flags. Perfect for CI/CD or scripting.
+Perfect for CI/CD or scripting. Automatically scans dependencies and auto-saves clean results.
 
-**Available Flags:**
-- `--license <type>` (required) - License type to use
-- `--owner <name>` (optional) - Copyright owner (auto-detects from git config)
-- `--year <year>` (optional) - Copyright year (defaults to current year)
-- `--url <url>` (optional) - Project URL (auto-detects from git remote)
+**Flags:**
+- `--fast` - Enable non-interactive mode
+- `--license <type>` (required) - License type
+- `--owner <name>` (optional) - Auto-detects from git config
+- `--year <year>` (optional) - Defaults to current year
+- `--url <url>` (optional) - Auto-detects from git remote
+- `--force` - Create LICENSE despite conflicts
+- `--noscan` - Skip dependency scanning
 
-**Examples:**
+**Auto-save behavior in fast mode:**
+- Clean scan (no conflicts) → Automatically saves `scanResult`
+- Conflicts detected → Does not save `scanResult`
+
+Examples:
 ```bash
-# Minimal (auto-detects owner from git config)
-licenseguard --init-fast --license mit
+# Minimal
+licenseguard init --fast --license mit
 
-# Full specification
-licenseguard --init-fast --license apache2_0 --owner "Apache Corp" --year 2025 --url "https://apache.org"
+# Skip scanning
+licenseguard init --fast --license mit --noscan
 
-# GPL license
-licenseguard --init-fast --license gpl3_0 --owner "Free Software Foundation"
+# Force creation despite conflicts
+licenseguard init --fast --license mit --force
+
+# Full specification
+licenseguard init --fast --license apache2_0 --owner "Apache Corp" --year 2025
 ```
 
-### List Available Licenses (`--ls`)
+### `ls` - List Available Licenses
 
 ```bash
-licenseguard --ls
+licenseguard ls
 ```
 
-Displays all available license types:
+Output:
 ```
 Available License Templates:
 
@@ -120,23 +233,36 @@ Available License Templates:
 ✓ WTFPL - Do What The F*ck You Want To Public License (ultra-permissive)
 ```
 
-## Available Licenses
+### `setup` - Setup Hooks Only
 
-| License Key | Display Name | Description |
-|-------------|--------------|-------------|
-| `mit` | MIT | MIT License (permissive, widely used) |
-| `apache2_0` | Apache 2.0 | Apache License 2.0 (permissive with patent grant) |
-| `gpl3_0` | GPL 3.0 | GNU General Public License 3.0 (copyleft) |
-| `bsd3clause` | BSD 3-Clause | BSD 3-Clause License (permissive with attribution) |
-| `isc` | ISC | ISC License (simpler MIT alternative) |
-| `wtfpl` | WTFPL | Do What The F*ck You Want To Public License (ultra-permissive) |
+```bash
+licenseguard setup
+```
 
-Not sure which license to choose? Visit [choosealicense.com](https://choosealicense.com) for guidance.
+Reads existing `.licenseguardrc` and installs hooks. Used in npm prepare scripts.
+
+---
+
+## Supported Licenses
+
+| Key | Name | Description |
+|-----|------|-------------|
+| `mit` | MIT | Permissive, widely used |
+| `apache2_0` | Apache 2.0 | Permissive with patent grant |
+| `gpl3_0` | GPL 3.0 | Copyleft |
+| `bsd3clause` | BSD 3-Clause | Permissive with attribution |
+| `isc` | ISC | Simpler MIT alternative |
+| `wtfpl` | WTFPL | Ultra-permissive |
+
+Not sure which to choose? Visit [choosealicense.com](https://choosealicense.com).
+
+---
 
 ## Configuration
 
-LicenseGuard creates a `.licenseguardrc` file in your project root:
+LicenseGuard creates `.licenseguardrc` in your project root.
 
+**Basic format:**
 ```json
 {
   "license": "mit",
@@ -146,148 +272,184 @@ LicenseGuard creates a `.licenseguardrc` file in your project root:
 }
 ```
 
-This configuration is used by the git hooks to display license information.
-
-## Git Hooks
-
-LicenseGuard installs two informational git hooks:
-
-### Post-Checkout Hook
-Displays a notification after `git checkout` or branch switches:
-```
-📜 This project uses MIT License by Your Name
+**With scan results (optional):**
+```json
+{
+  "license": "mit",
+  "owner": "Your Name",
+  "year": "2025",
+  "url": "https://github.com/you/project",
+  "scanResult": {
+    "timestamp": "2025-11-18T10:30:00.000Z",
+    "totalDependencies": 150,
+    "compatible": 150,
+    "incompatible": 0,
+    "unknown": 0,
+    "issues": []
+  }
+}
 ```
 
-### Pre-Commit Hook
-Displays a reminder before each commit:
-```
-ℹ️ Reminder: This project is licensed under MIT
-```
+**Why save scan results?**
+- **Transparency badge** - Shows your project has validated license compliance
+- **Trust signal** - Like CI badges or test coverage badges
+- **Audit trail** - Documents when dependencies were last checked
+- **Open source best practice** - Demonstrates license awareness
 
-**Important:**
-- Hooks are **educational only** - they never block git operations
-- Hooks always exit with code 0 (success)
-- If `.licenseguardrc` is missing, hooks silently exit
+This file **must be committed** to your repository so others can see your license info.
 
-### Auto-Setup on Clone (npm projects)
+---
+
+## Advanced Usage
 
-Git hooks live in `.git/hooks/` which is **not tracked by git**. This means hooks are not copied when someone clones your repository.
+### For npm Projects (Alternative to Global Install)
 
-For npm projects, you can use the `prepare` script to automatically set up hooks when developers run `npm install`:
+If you can't rely on developers having LicenseGuard installed globally, use npm prepare script:
 
-**Add to your package.json:**
 ```json
 {
   "devDependencies": {
-    "licenseguard-cli": "^1.1.0"
+    "licenseguard-cli": "^2.0.0"
   },
   "scripts": {
-    "prepare": "licenseguard --setup || true"
+    "prepare": "licenseguard setup || true"
   }
 }
 ```
 
-**What happens when someone clones your project:**
-```bash
-git clone <your-repo>       # Gets code + .licenseguardrc
-npm install                 # AUTOMATICALLY:
-                           # 📜 "This project uses MIT License by Your Name"
-                           # ✓ Git hooks installed
-git checkout feature        # Notification appears (hooks active)
-git commit                  # Reminder appears (hooks active)
-```
+When developers run `npm install`, hooks are set up automatically.
 
-The `--setup` command:
-- Reads `.licenseguardrc` and displays license notification
-- Installs git hooks automatically
-- Always exits 0 (never breaks `npm install`)
-- Safe to run multiple times (idempotent)
+### Existing Git Hooks
 
-### Existing Hooks
+LicenseGuard **never overwrites** existing hooks. If conflicts exist:
 
-If you already have git hooks, LicenseGuard will NOT overwrite them. Instead, it creates variants:
-- `.git/hooks/licenseguard-pre-commit`
-- `.git/hooks/licenseguard-post-checkout`
+- Creates `licenseguard-post-checkout` and `licenseguard-pre-commit`
+- Shows warning with merge instructions
 
-You can manually merge these with your existing hooks if desired.
+### Non-Git Projects
 
-### Without Git
+LicenseGuard works without git:
+- `init` offers to run `git init`
+- `init --fast` creates LICENSE file only
+- Hooks are skipped with warning
 
-If your project is not a git repository:
-- Interactive mode (`--init`) will offer to run `git init`
-- Fast mode (`--init-fast`) will skip hooks and warn you
-- `--setup` command will skip hooks with a warning
-- LICENSE file is always created regardless of git status
+---
 
 ## FAQ
 
-### Does this work offline?
-Yes! LicenseGuard is completely offline. All license templates are bundled with the package.
+### What licenses are checked during scanning?
 
-### Can I use custom licenses?
-Currently, LicenseGuard supports the 6 most common open source licenses. Custom license support may be added in future versions.
+Scans **npm dependencies only** (reads `package.json` and `node_modules`). It checks:
+- SPDX license identifiers (MIT, Apache-2.0, GPL-3.0, BSD-3-Clause, ISC, etc.)
+- License compatibility using industry-standard rules
+- Copyleft vs permissive conflicts (e.g., GPL incompatible with MIT)
 
-### Does it work on Windows?
-Yes! LicenseGuard is fully cross-platform and works on Linux, macOS, and Windows.
+For non-JavaScript projects, use `--noscan` flag.
 
-### What if I already have a LICENSE file?
-Interactive mode will ask if you want to overwrite it. Fast mode will overwrite without asking.
+### How does SPDX compatibility work?
 
-### How do I update my license?
-Run `licenseguard --init` again and it will regenerate your LICENSE file.
+LicenseGuard uses [spdx-satisfies](https://www.npmjs.com/package/spdx-satisfies) for compatibility checking:
+- **Permissive licenses** (MIT, Apache, BSD, ISC) - Compatible with most licenses
+- **Copyleft licenses** (GPL-3.0) - Incompatible with permissive project licenses
+- **Unknown licenses** - Generates warnings but doesn't block
+- **Custom rules** - Fallback for non-SPDX licenses (WTFPL, proprietary)
 
-### Can I disable the git hooks?
-The hooks are informational only and don't block anything. If you don't want them, simply delete the hook files from `.git/hooks/`.
+### What is the scanResult for?
 
-### What Node.js versions are supported?
-LicenseGuard requires Node.js 18.x or 20.x (LTS versions).
+`scanResult` is optional transparency data you can commit to show:
+1. Your project has validated license compliance
+2. When dependencies were last scanned
+3. What conflicts (if any) were detected
+4. Trust signal for users and contributors (like CI badges)
 
-## Contributing
+You choose whether to save it after each scan. Clean scans default to YES, conflicts default to NO.
 
-Contributions are welcome! Please feel free to submit a Pull Request.
+### Can I skip dependency scanning?
 
-1. Fork the repository
-2. Create your feature branch (`git checkout -b feature/amazing-feature`)
-3. Commit your changes (`git commit -m 'Add some amazing feature'`)
-4. Push to the branch (`git push origin feature/amazing-feature`)
-5. Open a Pull Request
+Yes! Use the `--noscan` flag:
+```bash
+licenseguard init --noscan
+```
 
-## Development
+This is useful for:
+- Non-JavaScript projects
+- Projects without dependencies
+- When you want manual license management
 
-```bash
-# Clone the repository
-git clone https://github.com/your-username/licenseguard.git
-cd licenseguard
+### Does this work for non-JavaScript projects?
+
+**Yes!** LicenseGuard works for any project:
+- Python projects
+- Rust/Cargo projects
+- Go modules
+- Ruby gems
+- Any language
+
+The hooks only need Node.js installed (which most developers have).
 
-# Install dependencies
-npm install
+### Do my contributors need to install LicenseGuard?
 
-# Run tests
-npm test
+For automatic notifications: **Yes**, they need `npm install -g licenseguard-cli` once.
 
-# Run tests with coverage
-npm run test:coverage
+Alternative: Use npm prepare script (see Advanced Usage) - then only project owner installs.
 
-# Lint code
-npm run lint
+### Does this work offline?
+
+Yes! All license templates are bundled. No internet required.
 
-# Format code
-npm run format
+### Can I disable notifications?
 
-# Test locally
-npm link
-cd /tmp && mkdir test-project && cd test-project
-licenseguard --init
+Delete hooks from `.git/hooks/`:
+```bash
+rm .git/hooks/post-checkout .git/hooks/pre-commit
 ```
 
+Or remove global hooks:
+```bash
+rm -rf ~/.git-templates/hooks/
+git config --global --unset init.templateDir
+```
+
+### What Node.js versions work?
+
+Node.js 18.x or 20.x (LTS versions).
+
+### Does it work on Windows?
+
+Yes! Fully cross-platform (Linux, macOS, Windows).
+
+---
+
+## Why LicenseGuard?
+
+- **Not enforcing** - Unlike license scanners, we inform and educate
+- **Zero friction** - One global install, automatic forever
+- **Universal** - Works with any language/framework
+- **Educational** - Raises awareness without blocking workflows
+- **Open source** - MIT licensed, free forever
+
+---
+
+## Contributing
+
+Contributions welcome!
+
+1. Fork the repository
+2. Create feature branch: `git checkout -b feature/amazing`
+3. Commit changes: `git commit -m 'Add feature'`
+4. Push: `git push origin feature/amazing`
+5. Open Pull Request
+
+---
+
 ## License
 
-This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+MIT License - see [LICENSE](LICENSE) file.
 
 ---
 
-**Links:**
-- [Choose a License](https://choosealicense.com) - Help choosing the right license
-- [Open Source Initiative](https://opensource.org/licenses) - OSI-approved licenses
-- [GitHub Repository](https://github.com/your-username/licenseguard) - Source code
-- [npm Package](https://www.npmjs.com/package/licenseguard-cli) - npm registry
+## Links
+
+- [npm Package](https://www.npmjs.com/package/licenseguard-cli)
+- [Choose a License](https://choosealicense.com)
+- [Open Source Initiative](https://opensource.org/licenses)

package/bin/licenseguard.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 const { program } = require('commander')
+const chalk = require('chalk')
 const { version } = require('../package.json')
 const { runList } = require('../lib/commands/list')
 const { runInit } = require('../lib/commands/init')
@@ -9,44 +10,61 @@ const { setupCommand } = require('../lib/commands/setup')
 
 program
   .version(version)
-  .description('License setup & compliance helper for developers')
+  .description('License setup & compliance guard for developers')
 
+// Init command with subcommand-specific options
 program
-  .option('--init', 'Interactive license setup wizard')
-  .option('--init-fast', 'Non-interactive fast setup')
-  .option('--license <type>', 'License type (for --init-fast)')
-  .option('--owner <name>', 'Copyright owner name (for --init-fast)')
-  .option('--year <year>', 'Copyright year (for --init-fast)')
-  .option('--url <url>', 'Project URL (for --init-fast)')
-  .option('--ls', 'List available license templates')
-  .option(
-    '--setup',
-    'Setup license notification and install git hooks (for npm prepare script)'
-  )
-  .parse(process.argv)
-
-const options = program.opts()
-
-if (options.init) {
-  runInit().catch((err) => {
-    console.error('Error:', err.message)
-    process.exit(1)
-  })
-} else if (options.initFast) {
-  runInitFast(options).catch((err) => {
-    console.error('Error:', err.message)
-    process.exit(1)
+  .command('init')
+  .description('Interactive license setup with dependency scanning')
+  .option('--force', 'Create LICENSE despite conflicts')
+  .option('--noscan', 'Skip dependency scanning')
+  .option('--fast', 'Non-interactive mode with auto-detection')
+  .option('--license <type>', 'License type (for --fast mode)')
+  .option('--owner <name>', 'Copyright owner name (for --fast mode)')
+  .option('--year <year>', 'Copyright year (for --fast mode)')
+  .option('--url <url>', 'Project URL (for --fast mode)')
+  .action(async (options) => {
+    try {
+      if (options.fast) {
+        await runInitFast(options)
+      } else {
+        await runInit(options)
+      }
+    } catch (error) {
+      console.error(chalk.red('✗ Error:'), error.message)
+      process.exit(1)
+    }
   })
-} else if (options.ls) {
-  runList().catch((err) => {
-    console.error('Error:', err.message)
-    process.exit(1)
+
+// List command
+program
+  .command('ls')
+  .description('List available license templates')
+  .action(async () => {
+    try {
+      await runList()
+    } catch (error) {
+      console.error(chalk.red('✗ Error:'), error.message)
+      process.exit(1)
+    }
   })
-} else if (options.setup) {
-  setupCommand().catch((err) => {
-    // Even on error, don't exit 1 - npm prepare compatibility
-    console.error('Setup warning:', err.message)
+
+// Setup command (kept for npm prepare script compatibility)
+program
+  .command('setup')
+  .description('Setup license notification and install git hooks (for npm prepare script)')
+  .action(async () => {
+    try {
+      await setupCommand()
+    } catch (error) {
+      // Even on error, don't exit 1 - npm prepare compatibility
+      console.error(chalk.yellow('⚠️  Setup warning:'), error.message)
+    }
   })
-} else {
+
+program.parse(process.argv)
+
+// Show help if no command provided
+if (!process.argv.slice(2).length) {
   program.help()
 }

package/lib/commands/init-fast.js

@@ -5,6 +5,7 @@ const chalk = require('chalk')
 const { generateLicense, LICENSE_TEMPLATES } = require('../templates')
 const { writeConfig } = require('../utils/file-ops')
 const { isGitRepo, installHooks } = require('../utils/git-helpers')
+const { scanDependencies, displayConflictReport } = require('../scanner')
 
 function getGitConfig(key) {
   try {
@@ -63,19 +64,85 @@ async function runInitFast(options) {
     if (url) console.log(chalk.gray(`URL: ${url}`))
     console.log()
 
+    // Scanner integration (Story 2.3) - Fast mode
+    let scanResult = null
+    if (!options.noscan) {
+      // Convert internal license format to SPDX identifier
+      const licenseToSPDX = {
+        'mit': 'MIT',
+        'apache2_0': 'Apache-2.0',
+        'gpl3_0': 'GPL-3.0',
+        'bsd3clause': 'BSD-3-Clause',
+        'isc': 'ISC',
+        'wtfpl': 'WTFPL'
+      }
+      const spdxLicense = licenseToSPDX[flags.license] || flags.license.toUpperCase()
+
+      try {
+        console.log(chalk.blue('🔍 Scanning dependencies for license conflicts...\n'))
+
+        scanResult = await scanDependencies(spdxLicense)
+        const hasConflicts = displayConflictReport(scanResult, spdxLicense)
+
+        if (hasConflicts && !options.force) {
+          // Block LICENSE creation due to conflicts
+          console.error(chalk.red('\n✗ LICENSE NOT created due to license conflicts.'))
+          console.log(chalk.yellow('\nFix conflicts or use --force to proceed anyway:'))
+          console.log(chalk.blue('  licenseguard init --fast --force --license ' + flags.license + '\n'))
+          process.exit(1)
+        }
+
+        if (hasConflicts && options.force) {
+          console.log(chalk.yellow('\n⚠️  Creating LICENSE despite conflicts (--force mode)\n'))
+        }
+      } catch (scanError) {
+        // If scanning fails (not process.exit), warn but don't block
+        if (scanError.message !== 'process.exit called') {
+          console.log(chalk.yellow(`\n⚠️  Dependency scanning failed: ${scanError.message}`))
+          console.log(chalk.yellow('Continuing with LICENSE creation...\n'))
+        } else {
+          // Re-throw process.exit errors
+          throw scanError
+        }
+      }
+    }
+
     // Generate license text
     const licenseContent = generateLicense(flags.license, owner, year, url)
 
     // Write LICENSE file directly (no prompt in fast mode)
     fs.writeFileSync('LICENSE', licenseContent, 'utf8')
 
-    // Write config file
-    writeConfig({
+    // Auto-save scan results in fast mode (Story 2.4: AC #1, #2)
+    // Default: YES for clean scans, NO for conflicts
+    const configData = {
       license: flags.license,
       owner: owner,
       year: year,
       url: url,
-    })
+    }
+
+    if (scanResult) {
+      const hasConflicts = scanResult.incompatible > 0
+      const shouldSave = !hasConflicts // Auto-save if clean
+
+      if (shouldSave) {
+        configData.scanResult = scanResult
+      }
+    }
+
+    // Write config file
+    writeConfig(configData)
+
+    // Feedback for scan result save
+    if (scanResult) {
+      const hasConflicts = scanResult.incompatible > 0
+      if (!hasConflicts) {
+        console.log(chalk.green('✓ Scan results saved to .licenseguardrc'))
+      } else {
+        console.log(chalk.gray('Scan results not saved (conflicts detected)'))
+      }
+    }
 
     // Success messages
     console.log(chalk.green('✓ LICENSE file created'))

package/lib/commands/init.js

@@ -3,8 +3,9 @@ const chalk = require('chalk')
 const { generateLicense } = require('../templates')
 const { writeLicenseFile, writeConfig } = require('../utils/file-ops')
 const { isGitRepo, initGitRepo, installHooks } = require('../utils/git-helpers')
+const { scanDependencies, displayConflictReport } = require('../scanner')
 
-async function runInit() {
+async function runInit(options = {}) {
   try {
     console.log(chalk.blue('📜 LicenseGuard - Interactive License Setup\n'))
 
@@ -48,6 +49,49 @@ async function runInit() {
       },
     ])
 
+    // Scanner integration (Story 2.3)
+    let scanResult = null
+    if (!options.noscan) {
+      // Convert internal license format to SPDX identifier
+      const licenseToSPDX = {
+        'mit': 'MIT',
+        'apache2_0': 'Apache-2.0',
+        'gpl3_0': 'GPL-3.0',
+        'bsd3clause': 'BSD-3-Clause',
+        'isc': 'ISC',
+        'wtfpl': 'WTFPL'
+      }
+      const spdxLicense = licenseToSPDX[answers.license] || answers.license.toUpperCase()
+
+      try {
+        console.log(chalk.blue('\n🔍 Scanning dependencies for license conflicts...\n'))
+
+        scanResult = await scanDependencies(spdxLicense)
+        const hasConflicts = displayConflictReport(scanResult, spdxLicense)
+
+        if (hasConflicts && !options.force) {
+          // Block LICENSE creation due to conflicts
+          console.error(chalk.red('\n✗ LICENSE NOT created due to license conflicts.'))
+          console.log(chalk.yellow('\nFix conflicts or use --force to proceed anyway:'))
+          console.log(chalk.blue('  licenseguard init --force\n'))
+          process.exit(1)
+        }
+
+        if (hasConflicts && options.force) {
+          console.log(chalk.yellow('\n⚠️  Creating LICENSE despite conflicts (--force mode)\n'))
+        }
+      } catch (scanError) {
+        // If scanning fails (not process.exit), warn but don't block
+        if (scanError.message !== 'process.exit called') {
+          console.log(chalk.yellow(`\n⚠️  Dependency scanning failed: ${scanError.message}`))
+          console.log(chalk.yellow('Continuing with LICENSE creation...\n'))
+        } else {
+          // Re-throw process.exit errors
+          throw scanError
+        }
+      }
+    }
+
     // Generate license text
     const licenseContent = generateLicense(
       answers.license,
@@ -64,13 +108,47 @@ async function runInit() {
       process.exit(0)
     }
 
-    // Write config file
-    writeConfig({
+    // Prompt to save scan results (Story 2.4: AC #1, #2)
+    let saveScanResult = false
+    if (scanResult) {
+      // Determine default: YES for clean scans, NO for conflicts
+      const hasConflicts = scanResult.incompatible > 0
+      const defaultSave = !hasConflicts
+
+      const saveAnswer = await inquirer.prompt([
+        {
+          type: 'confirm',
+          name: 'saveScanResult',
+          message: 'Save scan results to .licenseguardrc?',
+          default: defaultSave,
+        },
+      ])
+
+      saveScanResult = saveAnswer.saveScanResult
+    }
+
+    // Write config file (Story 2.4: AC #3)
+    const configData = {
       license: answers.license,
       owner: answers.owner,
       year: answers.year,
       url: answers.url,
-    })
+    }
+
+    if (saveScanResult && scanResult) {
+      configData.scanResult = scanResult
+    }
+
+    writeConfig(configData)
+
+    // Feedback for scan result save choice
+    if (scanResult) {
+      if (saveScanResult) {
+        console.log(chalk.green('✓ Scan results saved to .licenseguardrc'))
+      } else {
+        console.log(chalk.gray('Scan results not saved'))
+      }
+    }
 
     // Success messages
     console.log(chalk.green('\n✓ LICENSE file created'))

package/lib/scanner/compat-checker.js

@@ -0,0 +1,114 @@
+/**
+ * License compatibility checker
+ * Uses SPDX libraries for standard licenses + custom rules for non-SPDX
+ */
+
+const satisfies = require('spdx-satisfies')
+const parse = require('spdx-expression-parse')
+
+/**
+ * Custom compatibility rules for non-SPDX licenses
+ * @type {Object}
+ */
+const CUSTOM_COMPAT = {
+  wtfpl: {
+    type: 'permissive',
+    compatibleWith: '*', // Compatible with everything
+    description: 'Do What The F*ck You Want To Public License'
+  }
+}
+
+/**
+ * Permissive licenses that are generally compatible with each other
+ */
+const PERMISSIVE_LICENSES = ['MIT', 'ISC', 'BSD-2-Clause', 'BSD-3-Clause', 'Apache-2.0', '0BSD']
+
+/**
+ * Copyleft licenses that have restrictions
+ */
+const COPYLEFT_LICENSES = ['GPL-2.0', 'GPL-3.0', 'AGPL-3.0', 'GPL-2.0-only', 'GPL-3.0-only', 'LGPL-2.1', 'LGPL-3.0']
+
+/**
+ * Check if two licenses are compatible
+ * @param {string} projectLicense - The project's license
+ * @param {string} depLicense - The dependency's license
+ * @returns {{compatible: boolean, reason: string}} Compatibility result
+ */
+function checkCompatibility(projectLicense, depLicense) {
+  // Handle unknown licenses
+  if (depLicense === 'UNKNOWN' || !depLicense) {
+    return {
+      compatible: false, // Warn but don't block (handled by caller)
+      reason: 'No license field found'
+    }
+  }
+
+  // Handle custom licenses (WTFPL, proprietary, etc.)
+  const depLowerCase = depLicense.toLowerCase()
+  if (CUSTOM_COMPAT[depLowerCase]) {
+    if (CUSTOM_COMPAT[depLowerCase].compatibleWith === '*') {
+      return { compatible: true, reason: 'Ultra-permissive license' }
+    }
+  }
+
+  // Validate SPDX expressions
+  try {
+    parse(projectLicense)
+    parse(depLicense)
+  } catch (error) {
+    // Invalid SPDX expression
+    return {
+      compatible: false,
+      reason: `Invalid SPDX expression: ${depLicense}`
+    }
+  }
+
+  // Same license is always compatible
+  if (projectLicense === depLicense) {
+    return { compatible: true, reason: 'Compatible' }
+  }
+
+  // Check if both are permissive licenses
+  const projectIsPermissive = PERMISSIVE_LICENSES.includes(projectLicense)
+  const depIsPermissive = PERMISSIVE_LICENSES.includes(depLicense)
+
+  // Permissive licenses are compatible with each other
+  if (projectIsPermissive && depIsPermissive) {
+    return { compatible: true, reason: 'Compatible' }
+  }
+
+  // Check for copyleft restrictions
+  const depIsCopyleft = COPYLEFT_LICENSES.some(lic => depLicense.includes(lic))
+
+  // Permissive project cannot use copyleft dependencies
+  if (projectIsPermissive && depIsCopyleft) {
+    return {
+      compatible: false,
+      reason: 'Copyleft incompatible with permissive license'
+    }
+  }
+
+  // Copyleft project can use permissive dependencies
+  const projectIsCopyleft = COPYLEFT_LICENSES.some(lic => projectLicense.includes(lic))
+  if (projectIsCopyleft && depIsPermissive) {
+    return { compatible: true, reason: 'Compatible' }
+  }
+
+  // For complex expressions, try spdx-satisfies
+  try {
+    const isCompatible = satisfies(depLicense, projectLicense)
+    if (isCompatible) {
+      return { compatible: true, reason: 'Compatible' }
+    }
+  } catch (error) {
+    // Fall through to default incompatible
+  }
+
+  // Default: incompatible
+  return {
+    compatible: false,
+    reason: `License ${depLicense} incompatible with ${projectLicense}`
+  }
+}
+
+module.exports = { checkCompatibility, CUSTOM_COMPAT }

package/lib/scanner/index.js

@@ -0,0 +1,179 @@
+/**
+ * Dependency License Scanner
+ * Scans node_modules for license conflicts
+ */
+
+const fs = require('fs')
+const path = require('path')
+const chalk = require('chalk')
+const { checkCompatibility } = require('./compat-checker')
+const { showProgress } = require('./progress')
+
+/**
+ * Parse package.json to get dependencies
+ * @returns {{deps: string[], packageJson: Object}} Dependency list and package.json
+ */
+function parsePackageJson() {
+  try {
+    const content = fs.readFileSync('package.json', 'utf8')
+    const packageJson = JSON.parse(content)
+
+    // Only scan production dependencies
+    const deps = Object.keys(packageJson.dependencies || {})
+
+    return { deps, packageJson }
+  } catch (error) {
+    throw new Error('Failed to read package.json: ' + error.message)
+  }
+}
+
+/**
+ * Extract license info from a dependency
+ * @param {string} depName - Dependency name
+ * @returns {{name: string, version: string, license: string, path: string}} License info
+ */
+function extractLicense(depName) {
+  const depPath = path.join('node_modules', depName, 'package.json')
+
+  if (!fs.existsSync(depPath)) {
+    return {
+      name: depName,
+      version: 'unknown',
+      license: 'NOT_INSTALLED',
+      path: depPath
+    }
+  }
+
+  try {
+    const content = fs.readFileSync(depPath, 'utf8')
+    const depPackageJson = JSON.parse(content)
+
+    return {
+      name: depName,
+      version: depPackageJson.version || 'unknown',
+      license: depPackageJson.license || 'UNKNOWN',
+      path: depPath
+    }
+  } catch (error) {
+    return {
+      name: depName,
+      version: 'unknown',
+      license: 'PARSE_ERROR',
+      path: depPath
+    }
+  }
+}
+
+/**
+ * Scan all dependencies for license compatibility
+ * @param {string} projectLicense - The project's license
+ * @returns {Promise<Object>} Scan results
+ */
+async function scanDependencies(projectLicense) {
+  // 1. Read project package.json
+  const { deps } = parsePackageJson()
+
+  const results = {
+    timestamp: new Date().toISOString(),
+    totalDependencies: deps.length,
+    compatible: 0,
+    incompatible: 0,
+    unknown: 0,
+    issues: []
+  }
+
+  // 2. Scan each dependency
+  for (let i = 0; i < deps.length; i++) {
+    showProgress(i + 1, deps.length)
+
+    const depName = deps[i]
+    const depInfo = extractLicense(depName)
+
+    // Skip if not installed
+    if (depInfo.license === 'NOT_INSTALLED') {
+      continue
+    }
+
+    // Handle parse errors as unknown
+    if (depInfo.license === 'PARSE_ERROR') {
+      results.unknown++
+      results.issues.push({
+        package: `${depName}@${depInfo.version}`,
+        license: 'UNKNOWN',
+        type: 'warning',
+        reason: 'Failed to parse package.json',
+        location: depInfo.path
+      })
+      continue
+    }
+
+    // 3. Check compatibility
+    const compatResult = checkCompatibility(projectLicense, depInfo.license)
+
+    if (!compatResult.compatible) {
+      const isUnknown = depInfo.license === 'UNKNOWN'
+
+      if (isUnknown) {
+        results.unknown++
+      } else {
+        results.incompatible++
+      }
+
+      results.issues.push({
+        package: `${depName}@${depInfo.version}`,
+        license: depInfo.license,
+        type: isUnknown ? 'warning' : 'conflict',
+        reason: compatResult.reason,
+        location: depInfo.path
+      })
+    } else {
+      results.compatible++
+    }
+  }
+
+  return results
+}
+
+/**
+ * Display conflict report to console
+ * @param {Object} scanResult - Scan results
+ * @param {string} projectLicense - The project's license
+ * @returns {boolean} True if conflicts found (incompatible licenses), false otherwise
+ */
+function displayConflictReport(scanResult, projectLicense) {
+  if (scanResult.incompatible === 0 && scanResult.unknown === 0) {
+    console.log(chalk.green(`\n✅ All ${scanResult.totalDependencies} dependencies compatible with ${projectLicense.toUpperCase()}!`))
+    return false // No conflicts
+  }
+
+  const issueCount = scanResult.incompatible + scanResult.unknown
+  const hasConflicts = scanResult.incompatible > 0
+
+  if (hasConflicts) {
+    console.log(chalk.red(`\n❌ ${issueCount} issue(s) found:\n`))
+  } else {
+    // Only warnings, no conflicts
+    console.log(chalk.yellow(`\n⚠️  ${issueCount} warning(s) found:\n`))
+  }
+
+  for (const issue of scanResult.issues) {
+    if (issue.type === 'conflict') {
+      console.log(chalk.red(`❌ ${issue.package} (${issue.license})`))
+    } else {
+      console.log(chalk.yellow(`⚠️  ${issue.package} (${issue.license})`))
+    }
+    console.log(chalk.gray(`   ${issue.reason}`))
+    console.log(chalk.gray(`   Location: ${issue.location}\n`))
+  }
+
+  // Only return true if there are actual conflicts (incompatible licenses)
+  // Warnings (unknown licenses) should not block
+  return hasConflicts
+}
+
+module.exports = {
+  scanDependencies,
+  parsePackageJson,
+  extractLicense,
+  displayConflictReport
+}

package/lib/scanner/progress.js

@@ -0,0 +1,22 @@
+/**
+ * Progress indicator for dependency scanning
+ * Displays "Scanning dependencies... N/total" with in-place updates
+ */
+
+/**
+ * Show scanning progress indicator
+ * @param {number} current - Current dependency count
+ * @param {number} total - Total dependencies to scan
+ */
+function showProgress(current, total) {
+  // Clear current line and write progress
+  // \r returns to start of line without newline
+  process.stdout.write(`\rScanning dependencies... ${current}/${total}`)
+
+  // Newline when complete
+  if (current === total) {
+    process.stdout.write('\n')
+  }
+}
+
+module.exports = { showProgress }

package/lib/utils/file-ops.js

@@ -34,7 +34,24 @@ async function writeLicenseFile(content) {
 
 function writeConfig(config) {
   try {
-    const configContent = JSON.stringify(config, null, 2)
+    let finalConfig = config
+
+    // If .licenseguardrc exists, preserve existing fields when updating
+    if (fs.existsSync('.licenseguardrc')) {
+      try {
+        const existingContent = fs.readFileSync('.licenseguardrc', 'utf8')
+        const existingConfig = JSON.parse(existingContent)
+
+        // Merge: new config overwrites matching fields (including scanResult)
+        // But existing fields not in new config are preserved
+        finalConfig = { ...existingConfig, ...config }
+      } catch (parseError) {
+        // If existing file is malformed, just use new config
+        console.log(chalk.yellow('⚠️  Existing .licenseguardrc malformed, overwriting'))
+      }
+    }
+
+    const configContent = JSON.stringify(finalConfig, null, 2)
     fs.writeFileSync('.licenseguardrc', configContent, 'utf8')
     return true
   } catch (error) {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "licenseguard-cli",
-  "version": "1.2.2",
-  "description": "License setup & compliance helper for developers",
+  "version": "2.0.0",
+  "description": "License setup & compliance guard for developers",
   "bin": {
     "licenseguard": "./bin/licenseguard.js"
   },
@@ -9,15 +9,24 @@
     "doc": "docs"
   },
   "scripts": {
+    "test": "jest",
+    "test:watch": "jest --watch",
+    "test:coverage": "jest --coverage",
+    "lint": "eslint .",
+    "format": "prettier --write .",
     "postinstall": "node lib/postinstall.js"
   },
   "keywords": [
     "license",
     "compliance",
+    "scanning",
+    "spdx",
+    "dependencies",
     "MIT",
     "Apache",
     "GPL",
-    "developer-tools"
+    "developer-tools",
+    "license-checker"
   ],
   "author": "v",
   "license": "MIT",
@@ -25,6 +34,13 @@
     "chalk": "^4.1.2",
     "commander": "^11.1.0",
     "inquirer": "^8.2.5",
-    "licenseguard-cli": "^1.2.0"
+    "spdx-expression-parse": "^4.0.0",
+    "spdx-satisfies": "^6.0.0"
+  },
+  "devDependencies": {
+    "eslint": "^8.54.0",
+    "jest": "^29.7.0",
+    "mock-fs": "^5.2.0",
+    "prettier": "^3.1.0"
   }
 }