licenseguard-cli 2.1.0 → 2.2.0

package/CHANGELOG.md

@@ -0,0 +1,285 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2.2.0] - 2025-11-25
+
+### Added
+
+- **Friction-Free Adoption (Dual-Mode Init)** - `scan` command now adapts to environment
+  - **Interactive Mode**: Prompts user to initialize configuration when missing (TTY)
+  - **CI/CD Mode**: Auto-detects project license from package manager files (no TTY or CI env)
+  - **Multi-Ecosystem Auto-Detection**: Supports Node.js, Rust, Python, Go, and C++
+  - **Graceful Fallback**: Clear error messages with setup instructions when auto-detect fails
+  - License auto-detection functions: `autoDetectLicense()`, `detectNodeLicense()`, `detectRustLicense()`, `detectPythonLicense()`, `detectGoLicense()`, `detectCppLicense()`
+  - `isInteractive()` helper to detect TTY vs CI/CD environments
+  - `isValidLicense()` validator to check for valid license strings (excludes UNLICENSED and empty)
+
+- **Deep Scan Engine** - Complete dependency visibility for Node.js projects
+  - Parses `package-lock.json` to find ALL packages including transitive dependencies
+  - Supports lockfile v1 (npm 5-6), v2 (npm 7-8), v3 (npm 9+)
+  - Automatically detects lockfile version and uses appropriate parser
+  - Graceful fallback to flat scan when lockfile missing or corrupt
+  - **30x improvement** in package discovery: Typical React project goes from 50 packages (flat) → 1500+ packages (deep)
+  - **~99% coverage** with deep scan vs ~15% with flat scan
+  - Zero configuration required - works automatically when lockfile present
+
+- **Dependency Path Visualization** - Shows exact dependency chains for license conflicts
+  - Automatically traces paths for GPL conflicts: "app → @facebook/folly → liburing"
+  - Uses npm's built-in `npm explain` command (npm 7+ required)
+  - Lazy evaluation: Only traces paths when conflicts detected (performance optimized)
+  - Caching to avoid duplicate subprocess calls (5 second timeout per package)
+  - Graceful fallback: Displays conflicts without paths when npm explain unavailable
+  - Answers the key question: "Where did this GPL package come from?"
+  - Enables instant decision-making: Remove direct dependency or find alternative
+
+- **Coverage Report** - Automatic scan transparency for trust building
+  - Shows "X/Y packages identified (Z%)" after every scan
+  - Visual indicators: ✅ (90%+ excellent), ⚠️ (70-89% good), ❌ (<70% needs attention)
+  - Percentage formatted to 1 decimal place for precision
+  - Always displayed by default (no flag needed)
+  - Educational tip shown when coverage < 80%: "💡 Tip: Some packages may need manual LICENSE file inspection"
+  - Displays BEFORE conflict report in `init` command
+  - Displays at end of output in `scan` command
+  - Builds user trust through transparency about scan completeness
+
+- **HTML Attribution Generator** - Mobile-ready CREDITS.html for App Store compliance
+  - New `--format html` flag on `scan` command generates attribution file
+  - Mobile-optimized responsive design (max-width 800px desktop, full-width mobile)
+  - System fonts for instant loading: `-apple-system, BlinkMacSystemFont, Segoe UI, Roboto`
+  - Touch-friendly: 44px minimum touch targets (iOS accessibility guideline)
+  - Dark mode support: Automatic light/dark theme adaptation
+  - Expandable license text: Click "Show license text" to view full license
+  - Alphabetical sorting: Packages sorted by name for easy navigation
+  - XSS safe: All user content properly escaped (prevents script injection)
+  - Single file: Inline CSS and JavaScript (no external dependencies)
+  - Ready to bundle: Works with iOS (Xcode + WKWebView) and Android (assets + WebView)
+  - Meets App Store requirements: iOS App Store and Google Play Store attribution compliance
+  - Zero configuration: `licenseguard scan --format html` generates `CREDITS.html`
+
+### Changed
+- **`scan` command behavior**: Now checks for `.licenseguardrc` before requiring license specification
+  - Interactive mode offers to run `init` instead of throwing error
+  - CI/CD mode attempts auto-detection before erroring out
+  - Scan command continues seamlessly after interactive init completes
+- Node.js scanner now uses deep scan (lockfile parsing) by default when lockfile available
+- Flat scan preserved as fallback for projects without lockfiles
+- Scan output now includes coverage statistics by default
+- Coverage report appears in both `init` and `scan` commands automatically
+- Significantly improved dependency discovery accuracy for Node.js projects
+
+### Technical Details
+- New module: `lib/scanner/deep-scan.js` - Lockfile parser (v1/v2/v3 support)
+- New module: `lib/scanner/path-tracer.js` - npm explain adapter for dependency paths
+- Modified: `lib/scanner/plugins/node.js` - Integrated deep scan with fallback logic
+- Modified: `lib/scanner/index.js` - displayConflictReport now async, traces paths for conflicts
+- Modified: `lib/commands/scan.js` - Awaits displayConflictReport for path tracing
+- Test coverage: 100% for deep-scan.js and path-tracer.js modules
+- All 762 tests passing with zero regressions
+
+## [2.1.1] - 2025-11-25
+
+### Added
+- **Color-coded License Output** - Visual safety hierarchy for quick risk assessment
+  - Green (🟢): Permissive licenses (MIT, Apache-2.0, BSD-*, ISC)
+  - Yellow (⚠️): Weak copyleft (MPL-2.0, LGPL-*)
+  - Red (❌): Strong copyleft (GPL-*, AGPL-*)
+  - Gray (❔): Unknown licenses (requires manual review)
+  - Emojis as secondary indicators for accessibility (colorblind-friendly)
+  - Works in both light and dark terminal themes
+- **Update Notifier** - Automatic update notifications
+  - Checks npm registry once per 24 hours
+  - Displays banner when newer version available
+  - Non-blocking (doesn't slow down CLI startup)
+  - Fails silently if network unavailable
+  - Cache stored in OS temp directory
+
+### Changed
+- All license output now color-coded in `init` command
+- Conflict reports now show visual safety indicators
+
+## [2.1.0] - 2025-11-23
+
+### Added
+
+#### Multi-Ecosystem Dependency Scanning
+- **C/C++ (Conan) Support**
+  - Scans Conan 2.x and 1.x projects
+  - Auto-detects `conanfile.txt` and `conanfile.py`
+  - Tested with Facebook's folly library (23 dependencies, found 3 real GPL conflicts)
+  - Prevents GPL contamination in MIT/Apache projects
+- **Rust (Cargo) Support**
+  - Scans Cargo projects via `cargo metadata --format-version 1`
+  - Auto-detects `Cargo.toml`
+  - 100% test coverage
+- **Python (pip/pipenv/poetry) Support**
+  - **Native Python scanner** using `importlib.metadata` (IPC Bridge approach)
+  - **98.6% detection rate** (342/347 packages) vs 9.2% with pip show parsing
+  - Auto-detects `requirements.txt`, `Pipfile`, `pyproject.toml`
+  - Priority: poetry > pipenv > pip
+  - 37 license normalizations for Python ecosystem quirks
+  - Batch optimization (30x faster than individual calls)
+- **Go (modules) Support**
+  - Scans Go modules with streaming NDJSON for large projects
+  - Dynamic cache detection via `go env GOMODCACHE`
+  - Auto-detects `go.mod`
+  - Jaccard Index matching for LICENSE files (no package metadata fallback)
+
+- **Authoritative Source Citations (--explain)**
+  - Added `--explain` flag to `init` and `scan` commands
+  - Shows citations from FSF, OSI, and Mozilla for compatibility decisions
+  - Provides direct URLs to license text and compatibility matrices
+  - Helps developers verify "Why is this a conflict?" with legal backing
+
+#### Advanced License Detection
+- **Jaccard Index License Detector** (5-layer multi-strategy detection)
+  - Layer 1: SPDX-License-Identifier headers (fastest)
+  - Layer 2: License header/title detection (for full license texts)
+  - Layer 3: Dual-license pattern detection
+  - Layer 4: Key phrase patterns (distinctive phrases)
+  - Layer 5: Jaccard similarity matching (edge cases)
+  - Reduced Go scan warnings from 27 to 7
+  - Handles BSD-2-Clause vs BSD-3-Clause differentiation
+  - Universal detector usable across all ecosystems
+- **GPL Contamination Prevention**
+  - Detects copyleft licenses in transitive dependency trees
+  - Real-world validation: Found 3 GPL conflicts in folly's 23-dependency tree
+  - Business value: Prevents license violations before production
+
+### Changed
+
+#### Architecture
+- **Plugin Architecture** - Refactored from monolithic to pluggable ecosystem plugins
+  - `lib/scanner/plugins/node.js` - Node.js scanner (extracted from monolithic v2.0)
+  - `lib/scanner/plugins/cpp.js` - C/C++ Conan scanner
+  - `lib/scanner/plugins/rust.js` - Rust Cargo scanner
+  - `lib/scanner/plugins/python.js` - Python scanner with IPC bridge
+  - `lib/scanner/plugins/go.js` - Go modules scanner
+- **Auto-detection** - Scanner now auto-detects project type (Node > C++ > Rust > Python > Go priority)
+- **Node.js Scanner** - Backward compatible, all Epic 2 tests still passing
+
+### Technical
+
+#### New Files
+- `lib/scanner/plugins/cpp.js` - Conan plugin (87% coverage)
+- `lib/scanner/plugins/rust.js` - Cargo plugin (100% coverage)
+- `lib/scanner/plugins/python.js` - Python plugin with IPC bridge (98% coverage)
+- `lib/scanner/plugins/python-license-scanner.py` - Native Python scanner script
+- `lib/scanner/plugins/go.js` - Go modules plugin (92% coverage)
+- `lib/scanner/plugins/node.js` - Refactored Node.js scanner (100% coverage)
+- `lib/scanner/license-detector.js` - Jaccard Index multi-strategy detector (85% coverage)
+
+#### Test Growth
+- **635 tests** (was 132 in v2.0.0) - **+503 tests, +381% growth**
+- **19 test suites** (was ~10 in v2.0.0)
+- **0 regressions** - All Epic 2 tests passing
+- **Coverage:**
+  - Plugins: 94.37% (target: >80%)
+  - License detector: 85.41% (target: >80%)
+  - Overall: 84.46% statements, 75.95% branches
+
+#### Dependencies
+- No new npm dependencies added (uses child_process for ecosystem tools)
+
+#### Performance
+- Node.js: <1s for 1500 packages
+- Python: ~1-2s for 347 packages (IPC Bridge overhead)
+- C++: <1s for 23 packages (Conan metadata parsing)
+- Rust: <1s for typical project
+- Go: <1s for typical project
+
+### Breaking Changes
+None - Fully backward compatible with v2.0.0
+
+### Known Limitations
+- Mixed-language projects not yet supported (auto-detection picks first match)
+- Python requires Python 3.7+ installed
+- C++ requires Conan 1.x or 2.x installed
+- Rust requires Cargo installed
+- Go requires Go installed
+
+---
+
+**Epic 3 Completed:** Multi-Ecosystem Scanner Support
+**Stories Completed:** 3.0 (Plugin Architecture), 3.1 (C++), 3.2 (Rust), 3.3 (Python), 3.4 (Go), plus 2 hotfixes (compat-checker, license-detector)
+
+## [2.0.0] - 2025-11-18
+
+### BREAKING CHANGES
+
+#### CLI Architecture Migration
+- **Migrated from flag-based to subcommand-based routing**
+  - Old: `licenseguard --init` → New: `licenseguard init`
+  - Old: `licenseguard --ls` → New: `licenseguard ls`
+  - Old: `licenseguard --setup` → New: `licenseguard setup`
+- **Rationale:** Subcommands provide better CLI semantics and enable future extensibility
+- **Migration:** Update all scripts and documentation to use new syntax
+- **Backward compatibility:** Use `--noscan` flag for v1.x behavior without dependency scanning
+
+### Added
+
+#### License Compliance Guard 
+- **Dependency license scanning during init**
+  - Scans all npm dependencies for license conflicts
+  - Reads `package.json` and `node_modules/*/package.json`
+  - Displays scan summary with compatible/incompatible/unknown counts
+- **SPDX license compatibility checking**
+  - Uses `spdx-satisfies` for industry-standard compatibility rules
+  - Checks copyleft vs permissive conflicts (e.g., GPL-3.0 incompatible with MIT)
+  - Supports complex license expressions (e.g., "MIT OR Apache-2.0")
+- **Conflict detection with blocking**
+  - LICENSE creation blocked if incompatible licenses detected
+  - Exits with code 1 and error message
+  - Shows detailed conflict report with package names, licenses, and reasons
+- **scanResult persistence to .licenseguardrc**
+  - Optional field to save scan results for transparency
+  - Includes timestamp, counts, and issues array
+  - Acts as compliance badge (like CI or coverage badges)
+  - Prompt with smart defaults: YES for clean scans, NO for conflicts
+- **--force flag to override blocking**
+  - Creates LICENSE despite conflicts when user explicitly accepts risks
+  - Shows warnings but allows proceeding
+  - Useful for false positives or acceptable conflicts
+- **--noscan flag for v1.x compatibility**
+  - Skips dependency scanning entirely
+  - Maintains v1.x behavior for non-JavaScript projects
+  - No scanResult generated or saved
+
+### Changed
+
+- **Help text improved** - Now shows subcommands with descriptions
+- **Error messages enhanced** - More actionable feedback for common issues
+- **CLI routing refactored** - Cleaner subcommand architecture
+- **Init command enhanced** - Integrated scanning after license selection, before file creation
+- **Init-fast command enhanced** - Auto-saves clean scan results, skips saving on conflicts
+- **Configuration format extended** - `.licenseguardrc` now supports optional `scanResult` field
+
+### Technical
+
+#### New Dependencies
+- `spdx-satisfies@5.x` - SPDX license compatibility checking
+- `spdx-expression-parse@4.x` - Parse SPDX license expressions
+
+#### New Modules
+- `lib/scanner/index.js` - Dependency scanner with conflict detection
+- `lib/compat/rules.js` - License compatibility rules engine
+
+#### Test Coverage
+- Added scanner unit tests
+- Added file-ops scanResult handling tests
+- Maintained 86%+ coverage target
+
+## [1.1.0] - 2025-11-17
+
+### Added
+- Initial public release (Epic 1)
+- Interactive license setup (`init` command)
+- Fast mode for CI/CD (`init --fast`)
+- 6 embedded license templates (MIT, Apache 2.0, GPL 3.0, BSD 3-Clause, ISC, WTFPL)
+- Git hooks for license notifications (post-checkout, pre-commit)
+- Global hooks installation via npm postinstall
+- `.licenseguardrc` configuration file
+- Cross-platform support (Linux, macOS, Windows)

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,43 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## The "No Elitism" Clause
+
+LicenseGuard was built by a solo developer learning the ropes. We value **grit** and **learning** over certificates and titles.
+
+*   **No Gatekeeping:** Do not belittle contributors for "bad code" or "being junior." Teach, don't preach.
+*   **Practicality over Purity:** We prefer code that works and is readable over "clever" one-liners that no one understands.
+*   **Respect the Craft:** Take pride in what you ship. Code is communication.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+*   Demonstrating empathy and kindness toward other people
+*   Being respectful of differing opinions, viewpoints, and experiences
+*   Giving and gracefully accepting constructive feedback
+*   Accepting responsibility and apologizing to those affected by our mistakes
+*   Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+*   The use of sexualized language or imagery, and sexual attention or advances of any kind
+*   Trolling, insulting or derogatory comments, and personal or political attacks
+*   Public or private harassment
+*   Publishing others' private information, such as a physical or email address, without their explicit permission
+*   Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
+
+[homepage]: https://www.contributor-covenant.org

package/CONTRIBUTING.md

@@ -0,0 +1,68 @@
+# Contributing to LicenseGuard
+
+First off, thank you for considering contributing to LicenseGuard. This project is built on the belief that license compliance should be **fast, free, and accessible** to every developer.
+
+## The LicenseGuard Philosophy
+
+Before you write a single line of code, please understand the core values that built this tool:
+
+1.  **Zero Bloat Policy** 🚀
+    *   We prefer native Node.js APIs (`fs`, `child_process`, `path`) over adding heavy dependencies.
+    *   Current dependencies are minimal (chalk, commander, inquirer). Keep it that way.
+    *   If you can write it in 20 lines of utility code, don't install a 5MB library.
+
+2.  **Ecosystem Native** 🧠
+    *   Don't force one logic on all languages.
+    *   **Node.js** uses file parsing (`package.json`) because it's fast.
+    *   **Python** uses IPC bridge (`python-license-scanner.py`) because pip is chaotic.
+    *   **Go/Rust** uses CLI tools (`go list`, `cargo metadata`) because they are authoritative.
+    *   *Rule:* Research the ecosystem's standard first. Don't guess.
+
+3.  **Fail-Safe Architecture** 🛡️
+    *   This is a polyglot tool. If the user doesn't have `conan` installed, the C++ scanner should fail silently with a warning. It MUST NOT crash the Node.js scan.
+    *   Always wrap plugin execution in `try-catch`.
+
+4.  **"Feel Code"** ✍️
+    *   Understand what you are parsing. Don't just regex blindly.
+    *   Read the lockfiles. Understand the graph.
+
+## Development Setup
+
+1.  **Clone and Install:**
+    ```bash
+    git clone https://github.com/rfxlamia/licenseguard.git
+    cd licenseguard
+    npm install
+    ```
+
+2.  **Run Tests:**
+    We take testing seriously.
+    ```bash
+    npm test
+    ```
+    *Current Benchmark:* 635+ tests passing in ~3 seconds. Do not make it slower.
+
+3.  **Manual Testing:**
+    Automated tests are not enough. Verify your changes against real projects.
+    See `manual-test/` directory for reference projects (Node, C++, Python).
+
+## Pull Request Guidelines
+
+*   **Branch Naming:** `feat/feature-name` or `fix/bug-name`.
+*   **Commit Messages:** Follow [Conventional Commits](https://www.conventionalcommits.org/) (e.g., `feat: add ruby support`, `fix: handle corrupt lockfile`).
+*   **Tests:** Every PR **MUST** include unit tests. Code coverage should not drop below 90%.
+*   **Documentation:** Update `README.md` if you add a new feature or flag.
+
+## Adding a New Ecosystem Plugin
+
+Want to add support for Ruby, PHP, or Java?
+1.  Create `lib/scanner/plugins/language.js`.
+2.  Implement the standard interface:
+    *   `detect()`: Boolean
+    *   `scanDependencies(projectLicense)`: Promise<Result>
+3.  Register it in `lib/scanner/index.js`.
+4.  Add comprehensive unit tests in `tests/unit/scanner-language.test.js`.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under its MIT License.

package/README.md

@@ -5,7 +5,7 @@
 
 > License setup & compliance guard for developers
 
-LicenseGuard helps you set up open source licenses and protects your project from license conflicts. It scans your dependencies for incompatible licenses and automatically notifies developers about licensing requirements - works with any language (Node.js, Python, Rust, Go, etc.).
+LicenseGuard helps you set up open source licenses and protects your project from license conflicts. It scans your dependencies for incompatible licenses and automatically notifies developers about licensing requirements - works across ecosystems (Node.js, Python, Rust, Go, C++).
 
 ## Key Features
 
@@ -15,7 +15,6 @@ LicenseGuard helps you set up open source licenses and protects your project fro
 - **Scan Results** - Save scan results to `.licenseguardrc` for transparency
 - **Automatic Notifications** - See license info immediately after `git clone`
 - **Zero Effort** - Global hooks install once, work forever
-- **Language Agnostic** - Works for Python, Rust, Go, Ruby, any project
 - **Offline** - All license templates bundled, no internet required
 
 ---
@@ -189,7 +188,7 @@ Fix conflicts or use --force to proceed anyway:
   licenseguard init --force
 ```
 
-**With Explanation (`--explain`):**
+### `init --explain` - With Explanation
 ```bash
 licenseguard init --explain
 # ...
@@ -269,7 +268,8 @@ Reads existing `.licenseguardrc` and installs hooks. Used in npm prepare scripts
 
 ---
 
-## Supported Licenses
+## Supported License Setup
+
 
 | Key | Name | Description |
 |-----|------|-------------|
@@ -469,12 +469,46 @@ Yes! Fully cross-platform (Linux, macOS, Windows).
 ## Contributing
 
 Contributions welcome!
+**We need your help to make LicenseGuard better.**
+
+---
+
+### How to Contribute
+
+1. Read [CONTRIBUTING.md](CONTRIBUTING.md) - Philosophy and guidelines
+2. Check [GitHub Issues](https://github.com/rfxlamia/licenseguard-development/issues) for "good first issue" label
+3. Fork repository
+4. Create branch: `git checkout -b feat/license-mpl2`
+5. Write tests (90%+ coverage required)
+6. Submit Pull Request
+
+**Philosophy:**
+- **Zero Bloat** - Prefer native APIs over dependencies
+- **Ecosystem Native** - Research the right tool, don't guess
+- **Fail-Safe** - Plugins fail gracefully, never crash
+- **Feel Code** - Understand what you parse
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for full guidelines.
+
+---
+
+## Code of Conduct
+
+We're committed to an inclusive community. Read our [Code of Conduct](CODE_OF_CONDUCT.md).
+
+**Key principles:**
+- **No Elitism** - Grit and learning > credentials
+- **No Gatekeeping** - Teach, don't preach
+- **Practicality > Purity** - Readable > clever
+- **Respect the Craft** - Code is communication
 
-1. Fork the repository
-2. Create feature branch: `git checkout -b feature/amazing`
-3. Commit changes: `git commit -m 'Add feature'`
-4. Push: `git push origin feature/amazing`
-5. Open Pull Request
+---
+
+## Documentation
+
+- **[QUICK-USE.md](QUICK-USE.md)** - Complete command reference and examples
+- **[CONTRIBUTING.md](CONTRIBUTING.md)** - How to contribute
+- **[CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)** - Community standards
 
 ---
 
@@ -487,5 +521,9 @@ MIT License - see [LICENSE](LICENSE) file.
 ## Links
 
 - [npm Package](https://www.npmjs.com/package/licenseguard-cli)
+- [GitHub Repository](https://github.com/rfxlamia/licenseguard)
+- [Quick Use Guide](QUICK-USE.md)
+- [Contributing Guide](CONTRIBUTING.md)
 - [Choose a License](https://choosealicense.com)
-- [Open Source Initiative](https://opensource.org/licenses)
+- [SPDX License List](https://spdx.org/licenses/)
+

package/bin/licenseguard.js

@@ -6,7 +6,14 @@ const { version } = require('../package.json')
 const { runList } = require('../lib/commands/list')
 const { runInit } = require('../lib/commands/init')
 const { runInitFast } = require('../lib/commands/init-fast')
+const { runScan } = require('../lib/commands/scan')
 const { setupCommand } = require('../lib/commands/setup')
+const { checkForUpdates } = require('../lib/utils/update-notifier')
+
+// Check for updates (non-blocking, silent failure)
+checkForUpdates(version).catch(() => {
+  // Silent failure - don't block user
+})
 
 program
   .version(version)
@@ -37,6 +44,25 @@ program
     }
   })
 
+// Scan command
+program
+  .command('scan')
+  .description('Scan dependencies for license conflicts')
+  .option('--license <type>', 'Specify project license (if not auto-detected)')
+  .option('--allow', 'Allow conflicts (exit 0 even if conflicts found)')
+  .option('--fail-on-unknown', 'Fail if unknown licenses detected')
+  .option('--explain', 'Show authoritative source citations for license compatibility decisions')
+  .option('--format <type>', 'Output format (html) - generates CREDITS.html for mobile apps')
+  .option('--cwd <path>', 'Working directory to scan')
+  .action(async (options) => {
+    try {
+      await runScan(options)
+    } catch (error) {
+      console.error(chalk.red('✗ Error:'), error.message)
+      process.exit(1)
+    }
+  })
+
 // List command
 program
   .command('ls')

package/lib/commands/init-fast.js

@@ -74,7 +74,7 @@ async function runInitFast(options) {
         console.log(chalk.blue('🔍 Scanning dependencies for license conflicts...\n'))
 
         scanResult = await scanDependencies(spdxLicense)
-        const hasConflicts = displayConflictReport(scanResult, spdxLicense)
+        const hasConflicts = await displayConflictReport(scanResult, spdxLicense)
 
         if (hasConflicts && !options.force) {
           // Block LICENSE creation due to conflicts

package/lib/commands/init.js

@@ -5,6 +5,7 @@ const { writeLicenseFile, writeConfig } = require('../utils/file-ops')
 const { isGitRepo, initGitRepo, installHooks } = require('../utils/git-helpers')
 const { scanDependencies, displayConflictReport } = require('../scanner')
 const { toSPDX } = require('../utils/license-mapper')
+const { calculateCoverage, displayCoverage } = require('../scanner/coverage-reporter')
 
 async function runInit(options = {}) {
   try {
@@ -59,7 +60,12 @@ async function runInit(options = {}) {
         console.log(chalk.blue('\n🔍 Scanning dependencies for license conflicts...\n'))
 
         scanResult = await scanDependencies(spdxLicense)
-        const hasConflicts = displayConflictReport(scanResult, spdxLicense, { explain: options.explain })
+
+        // Display coverage BEFORE conflict report (AC #3)
+        const coverage = calculateCoverage(scanResult)
+        displayCoverage(coverage)
+
+        const hasConflicts = await displayConflictReport(scanResult, spdxLicense, { explain: options.explain })
 
         if (hasConflicts && !options.force) {
           // Block LICENSE creation due to conflicts