licenseguard-cli 2.0.0 → 2.1.0

package/README.md

@@ -9,7 +9,7 @@ LicenseGuard helps you set up open source licenses and protects your project fro
 
 ## Key Features
 
-- **Dependency Scanning** - Scans npm dependencies for license conflicts during setup
+- **Multi-Ecosystem Scanning** - Scans dependencies across 5 ecosystems (Node.js, C++, Rust, Python, Go)
 - **Conflict Detection** - Detects incompatible licenses (e.g., GPL vs MIT) and blocks creation
 - **SPDX Compatibility** - Industry-standard license compatibility checking
 - **Scan Results** - Save scan results to `.licenseguardrc` for transparency
@@ -20,6 +20,20 @@ LicenseGuard helps you set up open source licenses and protects your project fro
 
 ---
 
+## Supported Ecosystems
+
+LicenseGuard scans dependencies across multiple languages and package managers:
+
+- **Node.js** - npm packages (`package.json`)
+- **C/C++** - Conan packages (`conanfile.txt`, `conanfile.py`)
+- **Rust** - Cargo crates (`Cargo.toml`)
+- **Python** - pip/pipenv/poetry packages (`requirements.txt`, `Pipfile`, `pyproject.toml`)
+- **Go** - Go modules (`go.mod`)
+
+Each ecosystem uses optimized detection strategies for maximum accuracy.
+
+---
+
 ## Quick Start
 
 ### For Developers (One-time Setup)
@@ -175,9 +189,21 @@ Fix conflicts or use --force to proceed anyway:
   licenseguard init --force
 ```
 
+**With Explanation (`--explain`):**
+```bash
+licenseguard init --explain
+# ...
+# ❌ libdwarf@0.9.1 (LGPL-2.1-only)
+#    Conflict: Copyleft incompatible with MIT
+#    ────────────────────────
+#    📚 FSF: MIT license is permissive and GPL-compatible
+#    🔗 https://www.gnu.org/licenses/license-list.html#Expat
+```
+
 **Flags:**
 - `--force` - Create LICENSE despite conflicts (shows warnings)
 - `--noscan` - Skip dependency scanning
+- `--explain` - Show authoritative source citations (FSF/OSI links) for conflicts
 
 ### `init --fast` - Non-Interactive Setup
 
@@ -339,12 +365,20 @@ LicenseGuard works without git:
 
 ### What licenses are checked during scanning?
 
-Scans **npm dependencies only** (reads `package.json` and `node_modules`). It checks:
+LicenseGuard **auto-detects your project type** and scans the appropriate ecosystem:
+- **Node.js**: Reads `package.json` and `node_modules/*/package.json`
+- **C/C++**: Reads Conan metadata via `conan graph info`
+- **Rust**: Reads `cargo metadata` JSON output
+- **Python**: Uses native Python `importlib.metadata` (98.6% detection rate)
+- **Go**: Reads `go.mod` and scans `GOMODCACHE` with streaming NDJSON
+
+All ecosystems check:
 - SPDX license identifiers (MIT, Apache-2.0, GPL-3.0, BSD-3-Clause, ISC, etc.)
 - License compatibility using industry-standard rules
 - Copyleft vs permissive conflicts (e.g., GPL incompatible with MIT)
+- Multi-strategy detection including Jaccard Index similarity matching
 
-For non-JavaScript projects, use `--noscan` flag.
+Mixed-language projects are not yet supported. Use `--noscan` flag if detection is incorrect.
 
 ### How does SPDX compatibility work?
 
@@ -378,12 +412,14 @@ This is useful for:
 
 ### Does this work for non-JavaScript projects?
 
-**Yes!** LicenseGuard works for any project:
-- Python projects
-- Rust/Cargo projects
-- Go modules
-- Ruby gems
-- Any language
+**Yes!** LicenseGuard natively supports 5 ecosystems:
+- **Node.js** - Full dependency scanning
+- **C/C++** - Conan package scanning (requires Conan 2.x or 1.x installed)
+- **Rust** - Cargo crate scanning (requires Cargo installed)
+- **Python** - Native package scanning with 98.6% accuracy (requires Python 3.7+)
+- **Go** - Go module scanning (requires Go installed)
+
+For other languages (Ruby, PHP, etc.), the LICENSE file and git hooks still work, but dependency scanning is not yet available. Use `--noscan` flag for those projects.
 
 The hooks only need Node.js installed (which most developers have).
 

package/bin/licenseguard.js

@@ -18,6 +18,7 @@ program
   .description('Interactive license setup with dependency scanning')
   .option('--force', 'Create LICENSE despite conflicts')
   .option('--noscan', 'Skip dependency scanning')
+  .option('--explain', 'Show authoritative source citations for license compatibility decisions')
   .option('--fast', 'Non-interactive mode with auto-detection')
   .option('--license <type>', 'License type (for --fast mode)')
   .option('--owner <name>', 'Copyright owner name (for --fast mode)')

package/lib/commands/init-fast.js

@@ -6,6 +6,7 @@ const { generateLicense, LICENSE_TEMPLATES } = require('../templates')
 const { writeConfig } = require('../utils/file-ops')
 const { isGitRepo, installHooks } = require('../utils/git-helpers')
 const { scanDependencies, displayConflictReport } = require('../scanner')
+const { toSPDX } = require('../utils/license-mapper')
 
 function getGitConfig(key) {
   try {
@@ -67,16 +68,7 @@ async function runInitFast(options) {
     // Scanner integration (Story 2.3) - Fast mode
     let scanResult = null
     if (!options.noscan) {
-      // Convert internal license format to SPDX identifier
-      const licenseToSPDX = {
-        'mit': 'MIT',
-        'apache2_0': 'Apache-2.0',
-        'gpl3_0': 'GPL-3.0',
-        'bsd3clause': 'BSD-3-Clause',
-        'isc': 'ISC',
-        'wtfpl': 'WTFPL'
-      }
-      const spdxLicense = licenseToSPDX[flags.license] || flags.license.toUpperCase()
+      const spdxLicense = toSPDX(flags.license)
 
       try {
         console.log(chalk.blue('🔍 Scanning dependencies for license conflicts...\n'))

package/lib/commands/init.js

@@ -4,6 +4,7 @@ const { generateLicense } = require('../templates')
 const { writeLicenseFile, writeConfig } = require('../utils/file-ops')
 const { isGitRepo, initGitRepo, installHooks } = require('../utils/git-helpers')
 const { scanDependencies, displayConflictReport } = require('../scanner')
+const { toSPDX } = require('../utils/license-mapper')
 
 async function runInit(options = {}) {
   try {
@@ -52,22 +53,13 @@ async function runInit(options = {}) {
     // Scanner integration (Story 2.3)
     let scanResult = null
     if (!options.noscan) {
-      // Convert internal license format to SPDX identifier
-      const licenseToSPDX = {
-        'mit': 'MIT',
-        'apache2_0': 'Apache-2.0',
-        'gpl3_0': 'GPL-3.0',
-        'bsd3clause': 'BSD-3-Clause',
-        'isc': 'ISC',
-        'wtfpl': 'WTFPL'
-      }
-      const spdxLicense = licenseToSPDX[answers.license] || answers.license.toUpperCase()
+      const spdxLicense = toSPDX(answers.license)
 
       try {
         console.log(chalk.blue('\n🔍 Scanning dependencies for license conflicts...\n'))
 
         scanResult = await scanDependencies(spdxLicense)
-        const hasConflicts = displayConflictReport(scanResult, spdxLicense)
+        const hasConflicts = displayConflictReport(scanResult, spdxLicense, { explain: options.explain })
 
         if (hasConflicts && !options.force) {
           // Block LICENSE creation due to conflicts

package/lib/commands/scan.js

@@ -0,0 +1,121 @@
+/**
+ * Scan Command Handler
+ * Runs dependency scanning without modifying project files
+ */
+
+const chalk = require('chalk')
+const fs = require('fs')
+const path = require('path')
+const { scanDependencies, displayConflictReport } = require('../scanner')
+const { detectLicenseFromText } = require('../scanner/license-detector')
+
+/**
+ * Try to detect project license from local files
+ * @returns {string|null} Detected license or null
+ */
+function detectProjectLicense() {
+  // 1. Try .licenseguardrc
+  if (fs.existsSync('.licenseguardrc')) {
+    try {
+      const config = JSON.parse(fs.readFileSync('.licenseguardrc', 'utf8'))
+      if (config.license) return config.license
+    } catch (e) {
+      // Ignore config error
+    }
+  }
+
+  // 2. Try LICENSE file
+  const licenseFiles = ['LICENSE', 'LICENSE.txt', 'LICENSE.md', 'COPYING']
+  for (const file of licenseFiles) {
+    if (fs.existsSync(file)) {
+      const content = fs.readFileSync(file, 'utf8')
+      const detected = detectLicenseFromText(content)
+      if (detected && detected !== 'UNKNOWN') {
+        return detected
+      }
+    }
+  }
+
+  // 3. Try package managers (basic check)
+  if (fs.existsSync('package.json')) {
+    try {
+      const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'))
+      if (pkg.license) return pkg.license
+    } catch (e) {}
+  }
+
+  if (fs.existsSync('Cargo.toml')) {
+    // TODO: Parse Cargo.toml for license
+  }
+
+  return null
+}
+
+/**
+ * Run the scan command
+ * @param {Object} options - Command options
+ */
+async function runScan(options) {
+  // 1. Handle CWD
+  if (options.cwd) {
+    try {
+      process.chdir(options.cwd)
+    } catch (error) {
+      throw new Error(`Failed to change directory to ${options.cwd}: ${error.message}`)
+    }
+  }
+
+  console.log(chalk.blue(`📂 Scanning in: ${process.cwd()}`))
+
+  // 2. Determine Project License
+  let projectLicense = options.license
+
+  if (!projectLicense) {
+    projectLicense = detectProjectLicense()
+    if (projectLicense) {
+      console.log(chalk.blue(`ℹ️  Detected project license: ${projectLicense}`))
+    }
+  }
+
+  if (!projectLicense) {
+    throw new Error(
+      'Could not determine project license.\n' +
+      'Please create a LICENSE file, use "licenseguard init", or specify --license <type>'
+    )
+  }
+
+  // 3. Run Scan
+  console.log(chalk.gray('🔍 Scanning dependencies...'))
+  
+  try {
+    const results = await scanDependencies(projectLicense)
+
+    // 4. Display Report
+    const hasConflicts = displayConflictReport(results, projectLicense, {
+      explain: options.explain
+    })
+
+    // 5. Handle Exit Code
+    if (hasConflicts && !options.allow) {
+      console.log(chalk.red('\n❌ Scan failed: License conflicts detected.'))
+      process.exit(1)
+    } else if (hasConflicts && options.allow) {
+      console.log(chalk.yellow('\n⚠️  Scan passed (conflicts allowed via flag).'))
+    } 
+    
+    // Handle unknown licenses if fail-on-unknown flag is set
+    if (options.failOnUnknown && results.unknown > 0) {
+      console.log(chalk.red('\n❌ Scan failed: Unknown licenses detected (--fail-on-unknown).'))
+      process.exit(1)
+    }
+
+  } catch (error) {
+    // Check for specific plugin errors
+    if (error.message.includes('No supported package manager')) {
+      throw new Error('No supported package manager found (package.json, go.mod, Cargo.toml, etc.)')
+    }
+    throw error
+  }
+}
+
+module.exports = { runScan }