npm - licenseguard-cli - Versions diffs - 2.0.0 → 2.1.1 - Mend

licenseguard-cli 2.0.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/CHANGELOG.md +210 -0
package/README.md +111 -9
package/bin/licenseguard.js +26 -0
package/lib/commands/init-fast.js +2 -10
package/lib/commands/init.js +3 -11
package/lib/commands/scan.js +122 -0
package/lib/scanner/color-mapper.js +87 -0
package/lib/scanner/compat-checker.js +369 -50
package/lib/scanner/index.js +75 -117
package/lib/scanner/license-compatibility-matrix.json +338 -0
package/lib/scanner/license-detector.js +847 -0
package/lib/scanner/license-normalizer.js +357 -0
package/lib/scanner/plugins/cpp.js +267 -0
package/lib/scanner/plugins/go.js +420 -0
package/lib/scanner/plugins/node.js +149 -0
package/lib/scanner/plugins/python-license-scanner.py +173 -0
package/lib/scanner/plugins/python.js +336 -0
package/lib/scanner/plugins/rust.js +196 -0
package/lib/utils/license-mapper.js +28 -0
package/lib/utils/update-notifier.js +141 -0
package/package.json +2 -2

package/lib/scanner/license-detector.js ADDED Viewed

@@ -0,0 +1,847 @@
+/**
+ * License Detector - Multi-strategy license detection
+ *
+ * Algorithm (5-Layer Detection):
+ * 1. SPDX-License-Identifier header (authoritative, instant)
+ * 2. License header/title detection (for full license texts)
+ * 3. Dual-license indicators
+ * 4. Key phrase patterns (distinctive phrases)
+ * 5. Jaccard similarity (fallback for edge cases)
+ *
+ * Safety Features:
+ * - Restrictive clause detection (Commons Clause, Non-commercial, etc.)
+ * - Only processes LICENSE/COPYING files (handled by plugins)
+ *
+ * Based on domain research: docs/domain-brief.md
+ * - Pattern 3: Multi-Strategy License Detection
+ * - Covers top 20 licenses (95% of real-world packages)
+ *
+ * Jaccard Index = |A ∩ B| / |A ∪ B|
+ * Performance: O(n) where n = number of tokens
+ * Accuracy: ~98% for top 20 licenses (short and full texts)
+ */
+// ============================================
+// SPDX Identifier Detection (fastest path)
+// ============================================
+const SPDX_REGEX = /SPDX-License-Identifier:\s*([^\n\r]+)/i
+// ============================================
+// License Header Patterns (Layer 2)
+// Matches title in first ~500 chars of full license texts
+// ============================================
+const LICENSE_HEADER_PATTERNS = {
+  'Apache-2.0': [
+    /apache\s+license[,]?\s*version\s*2\.0/i,
+    /apache\s+license\s*\n\s*version\s*2\.0/i
+  ],
+  'MIT': [
+    /\b(the\s+)?mit\s+license\b/i,
+    /\(mit\)/i
+  ],
+  'BSD-3-Clause': [
+    /bsd\s+3[- ]clause\s+(license|"new")/i,
+    /\b3[- ]clause\s+bsd\b/i
+  ],
+  'BSD-2-Clause': [
+    /bsd\s+2[- ]clause\s+license/i,
+    /simplified\s+bsd\s+license/i
+  ],
+  'ISC': [
+    /\bisc\s+license\b/i
+  ],
+  'GPL-3.0-only': [
+    /gnu\s+general\s+public\s+license\s*\n?\s*version\s*3/i
+  ],
+  'GPL-2.0-only': [
+    /gnu\s+general\s+public\s+license\s*\n?\s*version\s*2(?!\.1)/i
+  ],
+  'LGPL-3.0-only': [
+    /gnu\s+lesser\s+general\s+public\s+license\s*\n?\s*version\s*3/i
+  ],
+  'LGPL-2.1-only': [
+    /gnu\s+lesser\s+general\s+public\s+license\s*\n?\s*version\s*2\.1/i
+  ],
+  'AGPL-3.0-only': [
+    /gnu\s+affero\s+general\s+public\s+license\s*\n?\s*version\s*3/i
+  ],
+  'MPL-2.0': [
+    /mozilla\s+public\s+license\s*\n?\s*version\s*2\.0/i
+  ],
+  'Unlicense': [
+    /\bunlicense\b/i,
+    /this\s+is\s+free\s+and\s+unencumbered\s+software/i
+  ],
+  'CC0-1.0': [
+    /cc0\s+1\.0\s+universal/i,
+    /creative\s+commons.*?cc0/i
+  ],
+  'WTFPL': [
+    /do\s+what\s+the\s+fuck\s+you\s+want\s+to\s+public\s+license/i,
+    /\bwtfpl\b/i
+  ],
+  'Zlib': [
+    /\bzlib\s+license\b/i
+  ],
+  'BSL-1.0': [
+    /boost\s+software\s+license\s*[-–]?\s*version\s*1\.0/i
+  ],
+  '0BSD': [
+    /\b0bsd\b/i,
+    /zero[- ]clause\s+bsd/i
+  ]
+}
+// ============================================
+// Key Phrase Patterns (Layer 4)
+// Distinctive phrases that work for BOTH short notices AND full texts
+// ============================================
+const KEY_PHRASE_PATTERNS = {
+  'Apache-2.0': [
+    /terms\s+and\s+conditions\s+for\s+use,?\s+reproduction,?\s+and\s+distribution/i,
+    /perpetual,?\s+worldwide,?\s+non-exclusive,?\s+no-charge,?\s+royalty-free/i,
+    /http:\/\/www\.apache\.org\/licenses\//i,
+    /licensed\s+under\s+the\s+apache\s+license/i
+  ],
+  'MIT': [
+    /permission\s+is\s+hereby\s+granted,?\s+free\s+of\s+charge/i,
+    /to\s+deal\s+in\s+the\s+software\s+without\s+restriction/i
+  ],
+  'BSD-3-Clause': [
+    /neither\s+the\s+name.*?nor\s+the\s+names\s+of\s+its\s+contributors/i,
+    /may\s+be\s+used\s+to\s+endorse\s+or\s+promote\s+products/i
+  ],
+  'BSD-2-Clause': [
+    /redistribution\s+and\s+use\s+in\s+source\s+and\s+binary\s+forms/i
+  ],
+  'ISC': [
+    /permission\s+to\s+use,?\s+copy,?\s+modify,?\s+and\/?or\s+distribute/i,
+    /for\s+any\s+purpose\s+with\s+or\s+without\s+fee/i
+  ],
+  'GPL-3.0-only': [
+    /29\s+june\s+2007/i,
+    /you\s+may\s+convey\s+a\s+covered\s+work/i
+  ],
+  'GPL-2.0-only': [
+    /june\s+1991/i,
+    /verbatim\s+copies\s+of\s+this\s+license\s+document/i
+  ],
+  'LGPL-3.0-only': [
+    /additional\s+permissions.*?version\s+3\s+of\s+the\s+gnu\s+general/i
+  ],
+  'LGPL-2.1-only': [
+    /gnu\s+library\s+general\s+public\s+license/i
+  ],
+  'MPL-2.0': [
+    /this\s+source\s+code\s+form\s+is\s+subject\s+to\s+the\s+terms/i,
+    /mozilla\.org\/mpl/i
+  ],
+  'Unlicense': [
+    /free\s+and\s+unencumbered\s+software\s+released\s+into\s+the\s+public\s+domain/i
+  ],
+  'CC0-1.0': [
+    /waived\s+all\s+copyright\s+and\s+related\s+or\s+neighboring\s+rights/i
+  ],
+  'Zlib': [
+    /the\s+origin\s+of\s+this\s+software\s+must\s+not\s+be\s+misrepresented/i
+  ],
+  'BSL-1.0': [
+    /permission\s+is\s+hereby\s+granted.*?to\s+any\s+person\s+or\s+organization/i
+  ]
+}
+// ============================================
+// Restrictive Clause Detection (Safety Feature)
+// Detects modifications that change license nature
+// Returns 'MODIFIED' if base license + restrictive clause found
+// ============================================
+const RESTRICTIVE_CLAUSES = [
+  // Commons Clause - makes commercial use restricted
+  { pattern: /commons\s+clause/i, name: 'Commons Clause' },
+  // Non-commercial restrictions
+  { pattern: /non[- ]?commercial\s+(use\s+)?only/i, name: 'Non-Commercial' },
+  { pattern: /not\s+(be\s+)?used\s+for\s+commercial\s+purposes?/i, name: 'Non-Commercial' },
+  // Military restrictions
+  { pattern: /prohibited\s+for\s+military/i, name: 'Military Restriction' },
+  { pattern: /not\s+(be\s+)?used.*?military/i, name: 'Military Restriction' },
+  // SSPL (Server Side Public License) - MongoDB's license
+  { pattern: /server\s+side\s+public\s+license/i, name: 'SSPL' },
+  // Ethical restrictions
+  { pattern: /ethical\s+use/i, name: 'Ethical Use Restriction' },
+  { pattern: /do\s+no\s+harm/i, name: 'Do No Harm Clause' },
+  // Time-delayed open source (BSL style)
+  { pattern: /change\s+date/i, name: 'Time-Delayed License' },
+  // Additional restrictions indicator
+  { pattern: /additional\s+restrictions?\s+apply/i, name: 'Additional Restrictions' }
+]
+/**
+ * Check for restrictive clauses that modify a base license
+ * @param {string} text - License text
+ * @returns {{found: boolean, clauses: string[]}
+ */
+function detectRestrictiveClauses(text) {
+  const found = []
+  for (const { pattern, name } of RESTRICTIVE_CLAUSES) {
+    if (pattern.test(text)) {
+      found.push(name)
+    }
+  }
+  return { found: found.length > 0, clauses: found }
+}
+// ============================================
+// Stopwords - Common words that add noise
+// ============================================
+const STOPWORDS = new Set([
+  // Articles & Pronouns
+  'the', 'this', 'that', 'these', 'those', 'which', 'what', 'who', 'whom',
+  // Prepositions
+  'for', 'from', 'with', 'into', 'onto', 'upon', 'about', 'above', 'below',
+  'between', 'through', 'during', 'before', 'after', 'under', 'over',
+  // Conjunctions
+  'and', 'but', 'yet', 'nor', 'because', 'although', 'unless', 'while',
+  // Common verbs (non-license-specific)
+  'have', 'has', 'had', 'been', 'being', 'are', 'was', 'were', 'will',
+  'would', 'could', 'should', 'may', 'might', 'must', 'shall', 'can',
+  // Other common words
+  'any', 'all', 'each', 'every', 'both', 'either', 'neither', 'such',
+  'other', 'another', 'some', 'most', 'more', 'less', 'than', 'then',
+  'also', 'only', 'just', 'even', 'still', 'very', 'too', 'own',
+  // Numbers written out
+  'one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine', 'ten'
+])
+// ============================================
+// License Templates - FINGERPRINTS ONLY
+// Most distinctive phrases for each license
+// ============================================
+const LICENSE_TEMPLATES = {
+  // Keep natural phrase flow - stopwords will be filtered during tokenization
+  'MIT': `
+    permission is hereby granted free of charge to any person obtaining a copy
+    of this software and associated documentation files the software to deal
+    in the software without restriction including without limitation the rights
+    to use copy modify merge publish distribute sublicense and or sell copies
+    of the software and to permit persons to whom the software is furnished
+    the software is provided as is without warranty of any kind express or implied
+    including but not limited to the warranties of merchantability fitness for
+    a particular purpose and noninfringement
+    authors or copyright holders be liable for any claim damages or other liability
+  `,
+  'Apache-2.0': `
+    licensed under the apache license version 2.0 the license
+    you may not use this file except in compliance with the license
+    you may obtain a copy of the license at apache org licenses
+    unless required by applicable law or agreed to in writing software
+    distributed under the license is distributed on an as is basis
+    without warranties or conditions of any kind either express or implied
+    see the license for the specific language governing permissions and limitations
+  `,
+  'BSD-3-Clause': `
+    redistribution and use in source and binary forms with or without modification
+    are permitted provided that the following conditions are met
+    redistributions of source code must retain the above copyright notice
+    this list of conditions and the following disclaimer
+    redistributions in binary form must reproduce the above copyright notice
+    neither the name of the copyright holder nor the names of its contributors
+    may be used to endorse or promote products derived from this software
+    without specific prior written permission
+    this software is provided by the copyright holders and contributors as is
+  `,
+  'BSD-2-Clause': `
+    redistribution and use in source and binary forms with or without modification
+    are permitted provided that the following conditions are met
+    redistributions of source code must retain the above copyright notice
+    redistributions in binary form must reproduce the above copyright notice
+    this software is provided by the copyright holders and contributors as is
+    and any express or implied warranties including but not limited to
+    the implied warranties of merchantability and fitness
+  `,
+  'ISC': `
+    permission to use copy modify and or distribute this software
+    for any purpose with or without fee is hereby granted
+    provided that the above copyright notice and this permission notice
+    appear in all copies
+    the software is provided as is and the author disclaims all warranties
+    with regard to this software including all implied warranties of
+    merchantability and fitness in no event shall the author be liable
+    for any special direct indirect or consequential damages
+  `,
+  'GPL-3.0-only': `
+    gnu general public license version 3 29 june 2007
+    this program is free software you can redistribute it and or modify
+    it under the terms of the gnu general public license as published by
+    the free software foundation either version 3 of the license
+    or at your option any later version
+    this program is distributed in the hope that it will be useful
+    but without any warranty without even the implied warranty of
+    merchantability or fitness for a particular purpose
+    see the gnu general public license for more details
+    you should have received a copy of the gnu general public license
+    along with this program
+  `,
+  'GPL-2.0-only': `
+    gnu general public license version 2 june 1991
+    this program is free software you can redistribute it and or modify
+    it under the terms of the gnu general public license as published by
+    the free software foundation either version 2 of the license
+    or at your option any later version
+    this program is distributed in the hope that it will be useful
+    but without any warranty without even the implied warranty of
+    merchantability or fitness for a particular purpose
+    see the gnu general public license for more details
+    you may copy and distribute verbatim copies
+  `,
+  'LGPL-3.0-only': `
+    gnu lesser general public license version 3
+    this license is a set of additional permissions added to version 3
+    of the gnu general public license
+    you may convey a combined work under terms of your choice
+    application library corresponding application code
+  `,
+  'LGPL-2.1-only': `
+    gnu lesser general public license version 2.1
+    this license a modified version of the ordinary general public license
+    applies to certain designated libraries and is quite different from
+    the ordinary general public license
+    library or work which has been distributed under these terms
+  `,
+  'MPL-2.0': `
+    mozilla public license version 2.0
+    this source code form is subject to the terms of the mozilla public license
+    if a copy of the mpl was not distributed with this file
+    you can obtain one at mozilla org mpl 2.0
+    definitions contributor means each individual or legal entity
+    covered software source code form executable form
+    each contributor hereby grants you a world wide royalty free
+    non exclusive license
+  `,
+  'Unlicense': `
+    this is free and unencumbered software released into the public domain
+    anyone is free to copy modify publish use compile sell or distribute
+    this software either in source code form or as a compiled binary
+    for any purpose commercial or non commercial and by any means
+    in jurisdictions that recognize copyright laws the author or authors
+    of this software dedicate any and all copyright interest
+  `,
+  'CC0-1.0': `
+    cc0 1.0 universal creative commons zero
+    to the extent possible under law the person who associated cc0
+    with this work has waived all copyright and related or neighboring rights
+    public domain dedication affirmer
+  `,
+  'WTFPL': `
+    do what the fuck you want to public license
+    everyone is permitted to copy and distribute verbatim or modified
+    copies of this license document and changing it is allowed
+    as long as the name is changed
+    you just do what the fuck you want to
+  `,
+  'Zlib': `
+    this software is provided as is without any express or implied warranty
+    in no event will the authors be held liable for any damages
+    arising from the use of this software
+    permission is granted to anyone to use this software for any purpose
+    including commercial applications and to alter it and redistribute it freely
+    subject to the following restrictions
+    the origin of this software must not be misrepresented
+  `,
+  'BSL-1.0': `
+    boost software license version 1.0
+    permission is hereby granted free of charge to any person or organization
+    obtaining a copy of the software and accompanying documentation
+    covered by this license the software to use reproduce display distribute
+    execute and transmit the software and to prepare derivative works
+    of the software and to permit third parties to whom the software
+    is furnished to do so all subject to the following
+    the copyright notices in the software and this entire statement
+    including the above license grant this restriction and the following disclaimer
+    must be included in all copies of the software in whole or in part
+  `
+}
+// ============================================
+// Pre-tokenized template cache (bigrams)
+// ============================================
+const TEMPLATE_TOKENS = new Map()
+/**
+ * Tokenize text into a Set of bigrams (word pairs)
+ * - Lowercase
+ * - Remove punctuation
+ * - Filter stopwords
+ * - Generate bigrams for context preservation
+ *
+ * @param {string} text - Input text
+ * @returns {Set<string>} Set of bigram tokens
+ */
+function tokenize(text) {
+  if (!text || typeof text !== 'string') {
+    return new Set()
+  }
+  // Step 1: Clean and split into words
+  const words = text
+    .toLowerCase()
+    .replace(/[^\w\s]/g, ' ')  // Remove punctuation
+    .split(/\s+/)
+    .filter(word => word.length >= 3)  // Remove tiny words
+    .filter(word => !STOPWORDS.has(word))  // Remove stopwords
+  // Step 2: Generate bigrams
+  const bigrams = new Set()
+  for (let i = 0; i < words.length - 1; i++) {
+    bigrams.add(`${words[i]} ${words[i + 1]}`)
+  }
+  // Also add unigrams for important license-specific words
+  const importantWords = [
+    'mit', 'apache', 'bsd', 'gpl', 'lgpl', 'agpl', 'mpl', 'isc',
+    'boost', 'zlib', 'unlicense', 'wtfpl', 'cc0', 'mozilla',
+    'gnu', 'general', 'public', 'lesser', 'affero',
+    'copyleft', 'permissive', 'proprietary', 'commercial',
+    'redistribute', 'sublicense', 'merchantability', 'noninfringement'
+  ]
+  for (const word of words) {
+    if (importantWords.includes(word)) {
+      bigrams.add(word)
+    }
+  }
+  return bigrams
+}
+/**
+ * Initialize template token cache
+ * Called once at module load
+ */
+function initTemplateCache() {
+  for (const [licenseId, template] of Object.entries(LICENSE_TEMPLATES)) {
+    TEMPLATE_TOKENS.set(licenseId, tokenize(template))
+  }
+}
+// Initialize on module load
+initTemplateCache()
+// ============================================
+// Jaccard Similarity
+// ============================================
+/**
+ * Calculate Jaccard similarity between two token sets
+ * Jaccard Index = |A ∩ B| / |A ∪ B|
+ *
+ * @param {Set<string>} setA - First token set
+ * @param {Set<string>} setB - Second token set
+ * @returns {number} Similarity score 0.0 - 1.0
+ */
+function jaccardSimilarity(setA, setB) {
+  if (setA.size === 0 || setB.size === 0) {
+    return 0
+  }
+  // Calculate intersection
+  let intersectionSize = 0
+  for (const token of setA) {
+    if (setB.has(token)) {
+      intersectionSize++
+    }
+  }
+  // Calculate union size: |A| + |B| - |A ∩ B|
+  const unionSize = setA.size + setB.size - intersectionSize
+  return intersectionSize / unionSize
+}
+// ============================================
+// Dual License Detection
+// ============================================
+/**
+ * Detect explicit dual-license indicators in text
+ *
+ * @param {string} text - License file content
+ * @returns {string|null} SPDX expression or null
+ */
+function detectDualLicense(text) {
+  if (!text) return null
+  // Pattern: "dual licensed under MIT and Apache"
+  const dualMatch = text.match(
+    /dual\s+licen[cs]ed?\s+under\s+(?:the\s+)?(\w+(?:[-.]?\d+)?)\s+(?:and|or)\s+(?:the\s+)?(\w+(?:[-.]?\d+)?)/i
+  )
+  if (dualMatch) {
+    const license1 = normalizeLicenseName(dualMatch[1])
+    const license2 = normalizeLicenseName(dualMatch[2])
+    if (license1 && license2) {
+      return `${license1} OR ${license2}`
+    }
+  }
+  // Pattern: "licensed under either MIT or Apache"
+  const eitherMatch = text.match(
+    /licen[cs]ed?\s+under\s+either\s+(?:the\s+)?(\w+(?:[-.]?\d+)?)\s+or\s+(?:the\s+)?(\w+(?:[-.]?\d+)?)/i
+  )
+  if (eitherMatch) {
+    const license1 = normalizeLicenseName(eitherMatch[1])
+    const license2 = normalizeLicenseName(eitherMatch[2])
+    if (license1 && license2) {
+      return `${license1} OR ${license2}`
+    }
+  }
+  return null
+}
+/**
+ * Normalize common license name variations to SPDX identifier
+ *
+ * @param {string} name - License name from text
+ * @returns {string|null} SPDX identifier or null
+ */
+function normalizeLicenseName(name) {
+  if (!name) return null
+  const upper = name.toUpperCase()
+  // Common mappings
+  const mappings = {
+    'MIT': 'MIT',
+    'APACHE': 'Apache-2.0',
+    'APACHE2': 'Apache-2.0',
+    'APACHE-2': 'Apache-2.0',
+    'APACHE2.0': 'Apache-2.0',
+    'BSD': 'BSD-3-Clause',
+    'BSD3': 'BSD-3-Clause',
+    'BSD2': 'BSD-2-Clause',
+    'ISC': 'ISC',
+    'GPL': 'GPL-3.0-only',
+    'GPL3': 'GPL-3.0-only',
+    'GPL2': 'GPL-2.0-only',
+    'LGPL': 'LGPL-3.0-only',
+    'LGPL3': 'LGPL-3.0-only',
+    'LGPL2': 'LGPL-2.1-only',
+    'MPL': 'MPL-2.0',
+    'MPL2': 'MPL-2.0',
+    'UNLICENSE': 'Unlicense',
+    'CC0': 'CC0-1.0',
+    'WTFPL': 'WTFPL',
+    'ZLIB': 'Zlib',
+    'BOOST': 'BSL-1.0',
+    'BSL': 'BSL-1.0'
+  }
+  return mappings[upper] || null
+}
+// ============================================
+// BSD-2 vs BSD-3 Differentiation
+// ============================================
+/**
+ * Differentiate between BSD-2-Clause and BSD-3-Clause
+ * BSD-3 has the "endorsement" clause, BSD-2 does not
+ *
+ * @param {string} text - License text
+ * @returns {string} 'BSD-3-Clause' or 'BSD-2-Clause'
+ */
+function differentitateBSD(text) {
+  // BSD-3 specific clause: "may be used to endorse or promote"
+  // This is the key phrase that distinguishes BSD-3 from BSD-2
+  const hasBSD3Clause =
+    /may\s+be\s+used\s+to\s+endorse\s+or\s+promote/i.test(text) ||
+    /neither\s+the\s+name[\s\S]*?may\s+(?:not\s+)?be\s+used\s+to\s+endorse/i.test(text)
+  return hasBSD3Clause ? 'BSD-3-Clause' : 'BSD-2-Clause'
+}
+// ============================================
+// GPL-2 vs GPL-3 Differentiation
+// ============================================
+/**
+ * Differentiate between GPL-2.0 and GPL-3.0
+ * Based on version number and unique phrases
+ *
+ * @param {string} text - License text
+ * @returns {string} 'GPL-3.0-only' or 'GPL-2.0-only'
+ */
+function differentiatGPL(text) {
+  // GPL-3 specific indicators
+  const hasGPL3 = /version\s+3/i.test(text) ||
+                  /29\s+june\s+2007/i.test(text) ||
+                  /convey/i.test(text) ||
+                  /corresponding\s+source/i.test(text) ||
+                  /propagate/i.test(text)
+  // GPL-2 specific indicators
+  const hasGPL2 = /version\s+2/i.test(text) ||
+                  /june\s+1991/i.test(text) ||
+                  /verbatim\s+copies/i.test(text)
+  // If has GPL-3 indicators and no GPL-2, it's GPL-3
+  if (hasGPL3 && !hasGPL2) return 'GPL-3.0-only'
+  // If has GPL-2 indicators and no GPL-3, it's GPL-2
+  if (hasGPL2 && !hasGPL3) return 'GPL-2.0-only'
+  // If has both or neither, check for explicit version
+  if (/either\s+version\s+3/i.test(text)) return 'GPL-3.0-only'
+  if (/either\s+version\s+2/i.test(text)) return 'GPL-2.0-only'
+  // Default to GPL-3 (more common in modern projects)
+  return 'GPL-3.0-only'
+}
+// ============================================
+// Main Detection Function
+// ============================================
+/**
+ * Detect license from header patterns (Layer 2)
+ * Checks first 500 chars for license title/header
+ *
+ * @param {string} text - License text (first 500 chars recommended)
+ * @returns {string|null} SPDX identifier or null
+ */
+function detectFromHeader(text) {
+  const header = text.substring(0, 500)
+  for (const [licenseId, patterns] of Object.entries(LICENSE_HEADER_PATTERNS)) {
+    for (const pattern of patterns) {
+      if (pattern.test(header)) {
+        return licenseId
+      }
+    }
+  }
+  return null
+}
+/**
+ * Detect license from key phrases (Layer 4)
+ * Checks for distinctive phrases that identify licenses
+ *
+ * @param {string} text - Full license text
+ * @returns {string|null} SPDX identifier or null
+ */
+function detectFromKeyPhrases(text) {
+  // Score each license by matching phrases
+  const scores = {}
+  for (const [licenseId, patterns] of Object.entries(KEY_PHRASE_PATTERNS)) {
+    scores[licenseId] = 0
+    for (const pattern of patterns) {
+      if (pattern.test(text)) {
+        scores[licenseId]++
+      }
+    }
+  }
+  // Find best match with at least 1 phrase match
+  let bestLicense = null
+  let bestScore = 0
+  for (const [licenseId, score] of Object.entries(scores)) {
+    if (score > bestScore) {
+      bestScore = score
+      bestLicense = licenseId
+    }
+  }
+  // Require at least 1 phrase match
+  return bestScore >= 1 ? bestLicense : null
+}
+/**
+ * Detect license from LICENSE file text content
+ *
+ * Algorithm (5-Layer Multi-Strategy):
+ * 1. SPDX-License-Identifier header (authoritative)
+ * 2. License header/title detection (for full license texts)
+ * 3. Dual-license indicators
+ * 4. Key phrase patterns (distinctive phrases)
+ * 5. Jaccard similarity (fallback)
+ *
+ * Safety: Detects restrictive clauses (Commons Clause, etc.)
+ *
+ * @param {string} text - LICENSE file content
+ * @returns {string} SPDX license identifier or 'UNKNOWN'
+ */
+function detectLicenseFromText(text) {
+  // Guard: empty or invalid input
+  if (!text || typeof text !== 'string') {
+    return 'UNKNOWN'
+  }
+  // Normalize whitespace
+  const normalizedText = text.trim()
+  // Guard: too short to be a license
+  if (normalizedText.length < 50) {
+    return 'UNKNOWN'
+  }
+  // ============================================
+  // Safety Check: Detect restrictive clauses FIRST
+  // If found, return UNKNOWN (modified license)
+  // ============================================
+  const restrictions = detectRestrictiveClauses(normalizedText)
+  if (restrictions.found) {
+    // License has restrictive modifications - treat as unknown/proprietary
+    // Could also return `${baseLicense}-Modified` but UNKNOWN is safer
+    return 'UNKNOWN'
+  }
+  // ============================================
+  // Layer 1: Check SPDX-License-Identifier (fastest, authoritative)
+  // ============================================
+  const spdxMatch = normalizedText.match(SPDX_REGEX)
+  if (spdxMatch) {
+    const spdxId = spdxMatch[1].trim()
+    // Validate it looks like a valid SPDX expression
+    if (/^[A-Za-z0-9.\-+]+(?:\s+(?:OR|AND)\s+[A-Za-z0-9.\-+]+)*$/.test(spdxId)) {
+      return spdxId
+    }
+  }
+  // ============================================
+  // Layer 2: Check license header/title (for full license texts)
+  // ============================================
+  const headerMatch = detectFromHeader(normalizedText)
+  if (headerMatch) {
+    // For GPL/LGPL, still need version differentiation
+    if (headerMatch === 'GPL-3.0-only' || headerMatch === 'GPL-2.0-only') {
+      return differentiatGPL(normalizedText)
+    }
+    if (headerMatch === 'BSD-3-Clause' || headerMatch === 'BSD-2-Clause') {
+      return differentitateBSD(normalizedText)
+    }
+    return headerMatch
+  }
+  // ============================================
+  // Layer 3: Check for dual-license indicators
+  // ============================================
+  const dualLicense = detectDualLicense(normalizedText)
+  if (dualLicense) {
+    return dualLicense
+  }
+  // ============================================
+  // Layer 4: Check key phrase patterns
+  // ============================================
+  const phraseMatch = detectFromKeyPhrases(normalizedText)
+  if (phraseMatch) {
+    // For GPL/LGPL, still need version differentiation
+    if (phraseMatch === 'GPL-3.0-only' || phraseMatch === 'GPL-2.0-only') {
+      return differentiatGPL(normalizedText)
+    }
+    if (phraseMatch === 'BSD-3-Clause' || phraseMatch === 'BSD-2-Clause') {
+      return differentitateBSD(normalizedText)
+    }
+    return phraseMatch
+  }
+  // ============================================
+  // Layer 5: Jaccard similarity matching (fallback)
+  // ============================================
+  const inputTokens = tokenize(normalizedText)
+  // Guard: too few tokens
+  if (inputTokens.size < 5) {
+    return 'UNKNOWN'
+  }
+  // Calculate similarity against all templates
+  const scores = []
+  for (const [licenseId, templateTokens] of TEMPLATE_TOKENS) {
+    const score = jaccardSimilarity(inputTokens, templateTokens)
+    scores.push({ licenseId, score })
+  }
+  // Sort by score descending
+  scores.sort((a, b) => b.score - a.score)
+  const bestMatch = scores[0]
+  // License family differentiation (special cases)
+  // BSD differentiation
+  if (bestMatch.score >= 0.3 &&
+      (bestMatch.licenseId === 'BSD-3-Clause' || bestMatch.licenseId === 'BSD-2-Clause')) {
+    return differentitateBSD(normalizedText)
+  }
+  // GPL differentiation
+  if (bestMatch.score >= 0.3 &&
+      (bestMatch.licenseId === 'GPL-3.0-only' || bestMatch.licenseId === 'GPL-2.0-only')) {
+    return differentiatGPL(normalizedText)
+  }
+  // Return based on confidence threshold (lowered since we have header/phrase detection)
+  if (bestMatch.score >= 0.30) {
+    return bestMatch.licenseId
+  }
+  // Low confidence - unknown
+  return 'UNKNOWN'
+}
+/**
+ * Get all similarity scores for debugging/analysis
+ *
+ * @param {string} text - LICENSE file content
+ * @returns {Array<{licenseId: string, score: number}>} Sorted scores
+ */
+function getAllScores(text) {
+  const inputTokens = tokenize(text)
+  const scores = []
+  for (const [licenseId, templateTokens] of TEMPLATE_TOKENS) {
+    const score = jaccardSimilarity(inputTokens, templateTokens)
+    scores.push({ licenseId, score: Math.round(score * 100) / 100 })
+  }
+  return scores.sort((a, b) => b.score - a.score)
+}
+module.exports = {
+  detectLicenseFromText,
+  // Export for testing
+  tokenize,
+  jaccardSimilarity,
+  detectDualLicense,
+  differentitateBSD,
+  differentiatGPL,
+  getAllScores,
+  // New multi-strategy exports
+  detectFromHeader,
+  detectFromKeyPhrases,
+  detectRestrictiveClauses,
+  LICENSE_HEADER_PATTERNS,
+  KEY_PHRASE_PATTERNS,
+  RESTRICTIVE_CLAUSES,
+  // Original exports
+  LICENSE_TEMPLATES,
+  TEMPLATE_TOKENS,
+  STOPWORDS
+}