mcp-license-audit 0.1.0

package/README.md

@@ -0,0 +1,90 @@
+# mcp-license-audit
+
+MCP server that audits your project's dependency licenses for compatibility issues. Flags GPL/AGPL conflicts and generates compliance reports.
+
+## What It Does
+
+- Parses a `package.json` file (dependencies + devDependencies)
+- Fetches license info for each package from the npm registry
+- Classifies licenses: permissive (MIT, Apache, BSD, ISC), copyleft (GPL, AGPL), weak-copyleft (LGPL, MPL), unknown
+- Detects conflicts (e.g., GPL dependency in an MIT-licensed project)
+- Returns a structured JSON report with risk level and summary
+
+## Install
+
+```bash
+npm install -g mcp-license-audit
+# or run directly:
+npx mcp-license-audit
+```
+
+## Configure in Claude Code
+
+Add to your `.claude/mcp.json` or `~/.claude/mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "license-audit": {
+      "command": "npx",
+      "args": ["mcp-license-audit"]
+    }
+  }
+}
+```
+
+Or if installed globally:
+
+```json
+{
+  "mcpServers": {
+    "license-audit": {
+      "command": "mcp-license-audit"
+    }
+  }
+}
+```
+
+## Tool: `audit-licenses`
+
+**Input:** `packageJson` — the full contents of a `package.json` file as a string.
+
+**Output:** JSON report:
+
+```json
+{
+  "totalDependencies": 15,
+  "analyzed": 15,
+  "licenses": {
+    "MIT": ["express", "lodash"],
+    "Apache-2.0": ["typescript"],
+    "GPL-3.0": ["some-package"],
+    "unknown": ["private-pkg"]
+  },
+  "conflicts": [
+    {
+      "package": "some-package",
+      "license": "GPL-3.0",
+      "issue": "GPL dependency in MIT project — must open-source your code if distributed"
+    }
+  ],
+  "riskLevel": "medium",
+  "summary": "15 deps analyzed. 1 GPL conflict found. 1 unknown license."
+}
+```
+
+**Risk levels:** `low` (no copyleft), `medium` (weak copyleft or many unknowns), `high` (GPL/AGPL found).
+
+## Limits
+
+- Analyzes first 20 dependencies for speed
+- Only supports npm packages (no pip/cargo/gem support yet)
+- License data comes from the npm registry — private packages return "unknown"
+
+## Build from Source
+
+```bash
+npm install
+npm run build
+node dist/index.js
+```

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,149 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import * as mcpcat from "mcpcat";
+const PERMISSIVE = new Set(["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "0BSD", "Unlicense", "CC0-1.0"]);
+const COPYLEFT = new Set(["GPL-2.0", "GPL-3.0", "GPL-2.0-only", "GPL-3.0-only", "GPL-2.0-or-later", "GPL-3.0-or-later", "AGPL-3.0", "AGPL-3.0-only", "AGPL-3.0-or-later"]);
+const WEAK_COPYLEFT = new Set(["LGPL-2.0", "LGPL-2.1", "LGPL-3.0", "LGPL-2.0-only", "LGPL-2.1-only", "LGPL-3.0-only", "MPL-2.0", "EUPL-1.1", "EUPL-1.2"]);
+function categorize(license) {
+    if (!license || license === "UNKNOWN")
+        return "unknown";
+    const normalized = license.toUpperCase();
+    for (const l of PERMISSIVE)
+        if (l.toUpperCase() === normalized)
+            return "permissive";
+    for (const l of COPYLEFT)
+        if (l.toUpperCase() === normalized)
+            return "copyleft";
+    for (const l of WEAK_COPYLEFT)
+        if (l.toUpperCase() === normalized)
+            return "weak-copyleft";
+    if (normalized.includes("GPL") || normalized.includes("AGPL"))
+        return "copyleft";
+    if (normalized.includes("LGPL") || normalized.includes("MPL"))
+        return "weak-copyleft";
+    if (normalized.includes("MIT") || normalized.includes("BSD") || normalized.includes("APACHE") || normalized.includes("ISC"))
+        return "permissive";
+    return "unknown";
+}
+async function fetchLicense(pkg) {
+    try {
+        const res = await fetch(`https://registry.npmjs.org/${pkg}/latest`);
+        if (!res.ok)
+            return "unknown";
+        const data = await res.json();
+        if (!data.license)
+            return "unknown";
+        if (typeof data.license === "string")
+            return data.license;
+        if (typeof data.license === "object" && data.license.type)
+            return data.license.type;
+        return "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+const server = new McpServer({
+    name: "mcp-license-audit",
+    version: "0.1.0",
+});
+// MCPcat analytics
+const MCPCAT_PROJECT_ID = process.env["MCPCAT_PROJECT_ID"] ?? undefined;
+if (MCPCAT_PROJECT_ID)
+    mcpcat.track(server, MCPCAT_PROJECT_ID);
+server.tool("audit-licenses", "Audit your project's dependency licenses for compatibility issues. Flags GPL/AGPL conflicts and generates compliance reports.", {
+    packageJson: z.string().describe("Contents of a package.json file as a string"),
+}, async ({ packageJson }) => {
+    let parsed;
+    try {
+        parsed = JSON.parse(packageJson);
+    }
+    catch {
+        return {
+            content: [{ type: "text", text: JSON.stringify({ error: "Invalid package.json — could not parse JSON" }) }],
+        };
+    }
+    const deps = {
+        ...(parsed.dependencies ?? {}),
+        ...(parsed.devDependencies ?? {}),
+    };
+    const allPackages = Object.keys(deps);
+    const totalDependencies = allPackages.length;
+    const toAnalyze = allPackages.slice(0, 20);
+    const projectLicense = typeof parsed.license === "string" ? parsed.license : "unknown";
+    const projectCategory = categorize(projectLicense);
+    const licenseResults = await Promise.all(toAnalyze.map(async (pkg) => {
+        const license = await fetchLicense(pkg);
+        return { pkg, license, category: categorize(license) };
+    }));
+    const licenseMap = {};
+    for (const { pkg, license } of licenseResults) {
+        if (!licenseMap[license])
+            licenseMap[license] = [];
+        licenseMap[license].push(pkg);
+    }
+    const conflicts = [];
+    for (const { pkg, license, category } of licenseResults) {
+        if (category === "copyleft") {
+            const isSPDX = license.toUpperCase().includes("AGPL");
+            const licenseType = isSPDX ? "AGPL" : "GPL";
+            let issue = `${licenseType} dependency in ${projectLicense} project — must open-source your code if distributed`;
+            if (projectCategory === "permissive") {
+                conflicts.push({ package: pkg, license, issue });
+            }
+            else if (projectCategory === "unknown") {
+                conflicts.push({ package: pkg, license, issue: `${licenseType} dependency detected — verify compatibility with your project license` });
+            }
+        }
+        if (category === "weak-copyleft" && projectCategory === "permissive") {
+            conflicts.push({
+                package: pkg,
+                license,
+                issue: `Weak copyleft (${license}) — LGPL/MPL has linking requirements, review if you modify this library`,
+            });
+        }
+    }
+    const copyleftCount = licenseResults.filter((r) => r.category === "copyleft").length;
+    const weakCopyleftCount = licenseResults.filter((r) => r.category === "weak-copyleft").length;
+    const unknownCount = licenseResults.filter((r) => r.category === "unknown").length;
+    let riskLevel;
+    if (copyleftCount > 0) {
+        riskLevel = "high";
+    }
+    else if (weakCopyleftCount > 0 || unknownCount > 2) {
+        riskLevel = "medium";
+    }
+    else {
+        riskLevel = "low";
+    }
+    const parts = [`${toAnalyze.length} deps analyzed.`];
+    if (copyleftCount > 0)
+        parts.push(`${copyleftCount} GPL/AGPL conflict${copyleftCount > 1 ? "s" : ""} found.`);
+    if (weakCopyleftCount > 0)
+        parts.push(`${weakCopyleftCount} weak-copyleft dep${weakCopyleftCount > 1 ? "s" : ""}.`);
+    if (unknownCount > 0)
+        parts.push(`${unknownCount} unknown license${unknownCount > 1 ? "s" : ""}.`);
+    if (conflicts.length === 0)
+        parts.push("No conflicts found.");
+    const report = {
+        totalDependencies,
+        analyzed: toAnalyze.length,
+        licenses: licenseMap,
+        conflicts,
+        riskLevel,
+        summary: parts.join(" "),
+    };
+    return {
+        content: [{ type: "text", text: JSON.stringify(report, null, 2) }],
+    };
+});
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((err) => {
+    process.stderr.write(`Fatal: ${err}\n`);
+    process.exit(1);
+});

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "mcp-license-audit",
+  "version": "0.1.0",
+  "description": "MCP server that audits your project's dependency licenses for compatibility issues. Flags GPL/AGPL conflicts and generates compliance reports.",
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js"
+  },
+  "files": ["dist"],
+  "keywords": ["mcp", "mcp-server", "license-audit", "compliance", "gpl", "dependency-check", "open-source", "license-checker"],
+  "author": "Timothy Cai",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/linesatuni/agentic-waitlist.git",
+    "directory": "servers/mcp-license-audit"
+  },
+  "type": "module",
+  "bin": {
+    "mcp-license-audit": "./dist/index.js"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "mcpcat": "^0.1.15",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^6.0.2"
+  }
+}