node-module-license-output 0.3.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 myooken
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,133 @@
+# Third-Party License Output for node_modules
+
+[![npm version](https://img.shields.io/npm/v/@myooken/license-output.svg)](https://www.npmjs.com/package/@myooken/license-output)
+[![npm downloads](https://img.shields.io/npm/dm/@myooken/license-output.svg)](https://www.npmjs.com/package/@myooken/license-output)
+[![node](https://img.shields.io/node/v/@myooken/license-output.svg)](https://www.npmjs.com/package/@myooken/license-output)
+
+https://www.npmjs.com/package/@myooken/license-output
+
+### What is this?
+
+A tool to scan `node_modules` and **output third-party licenses in Markdown**.  
+It generates two files: `THIRD-PARTY-LICENSE.md` (main content) and `THIRD-PARTY-LICENSE-REVIEW.md` (review checklist).
+
+### Highlights
+
+- **ESM / Node.js 18+**, zero dependencies
+- **Outputs full license texts** from LICENSE/NOTICE/COPYRIGHT/THIRD-PARTY-NOTICES/THIRD-PARTY-LICENSES/ThirdPartyNoticeText/ThirdPartyText/COPYING files
+- **Review file** flags missing Source / license / license files
+- `--fail-on-missing` supports CI enforcement
+
+CLI command: `third-party-license`
+
+### Usage
+
+#### Run without installing (recommended)
+
+```bash
+npx --package=@myooken/license-output -- third-party-license
+```
+
+#### Run via npm exec
+
+```bash
+npm exec --package=@myooken/license-output -- third-party-license
+```
+
+#### Install globally
+
+```bash
+npm i -g @myooken/license-output
+third-party-license
+```
+
+### Options
+
+| Option                 | Description                                                                 | Default                         |
+| ---------------------- | --------------------------------------------------------------------------- | ------------------------------- |
+| `--node-modules <dir>` | Path to `node_modules`                                                      | `node_modules`                  |
+| `--review [file]`      | Write review file only; optional filename                                   | `THIRD-PARTY-LICENSE-REVIEW.md` |
+| `--license [file]`     | Write main file only; optional filename                                     | `THIRD-PARTY-LICENSE.md`        |
+| `--recreate`           | Regenerate files from current `node_modules` only (drops removed packages)  | `true` (default)                |
+| `--update`             | Merge with existing outputs, keep removed packages, and mark their presence | `false`                        |
+| `--fail-on-missing`    | Exit with code 1 if LICENSE/NOTICE/COPYRIGHT/THIRD-PARTY-NOTICES/THIRD-PARTY-LICENSES/ThirdPartyNoticeText/ThirdPartyText/COPYING are missing  | `false`                         |
+| `-h`, `--help`         | Show help                                                                   | -                               |
+
+> If neither `--review` nor `--license` is specified, **both files are generated**.
+> Packages in both files are sorted by name@version; `--update` keeps entries for packages no longer in `node_modules` and annotates their usage status.
+
+### Examples
+
+```bash
+# Default (both files)
+third-party-license
+
+# Update existing files without dropping removed packages
+third-party-license --update
+
+# Custom node_modules path
+third-party-license --node-modules ./path/to/node_modules
+
+# Review-only output (optional filename)
+third-party-license --review
+third-party-license --review ./out/THIRD-PARTY-LICENSE-REVIEW.md
+
+# Main-only output (optional filename)
+third-party-license --license
+third-party-license --license ./out/THIRD-PARTY-LICENSE.md
+
+# Exit with code 1 when something is missing (with --fail-on-missing)
+third-party-license --fail-on-missing
+```
+
+### Programmatic API
+
+```js
+import { collectThirdPartyLicenses } from "@myooken/license-output";
+
+const result = await collectThirdPartyLicenses({
+  nodeModules: "./node_modules",
+  outFile: "./THIRD-PARTY-LICENSE.md",
+  reviewFile: "./THIRD-PARTY-LICENSE-REVIEW.md",
+  failOnMissing: false,
+  // mode: "update", // keep packages missing from node_modules when updating files
+});
+
+console.log(result.mainContent);
+console.log(result.reviewContent);
+```
+
+Outputs are sorted by package key. Use `mode: "update"` to merge with existing files and keep packages that are no longer in `node_modules`, with their usage shown in both outputs.
+
+### Output overview
+
+- **THIRD-PARTY-LICENSE.md**
+  - List of packages
+  - Source / License info
+  - Full LICENSE/NOTICE/COPYRIGHT/THIRD-PARTY-NOTICES/THIRD-PARTY-LICENSES/ThirdPartyNoticeText/ThirdPartyText/COPYING texts
+  - Usage line shows whether the package is present in the current `node_modules`
+- **THIRD-PARTY-LICENSE-REVIEW.md**
+  - Review-oriented checklist
+  - Usage-aware status (present / not found) for each package
+  - **Missing summary** section
+
+### How it differs from typical npm license tools (general view)
+
+> Examples: `license-checker`, `license-report`, `license-finder`
+
+- **Focused on bundling full license texts into a single Markdown file**
+  - Many existing tools emphasize JSON/CSV reports; this tool emphasizes **ready-to-share license documents**.
+- **Separate review file** to track missing metadata
+  - Easier to integrate into audit workflows.
+- **ESM / Node.js 18+ with no dependencies**
+  - Simple runtime requirements.
+
+### Notes
+
+- Scans all packages under `node_modules` (including nested dependencies); license files are searched only in each package root directory.
+- Recognizes LICENSE, NOTICE, COPYRIGHT, THIRD-PARTY-NOTICES, THIRD-PARTY-LICENSES, ThirdPartyNoticeText/ThirdPartyText, and COPYING files (e.g., TypeScript's `ThirdPartyNoticeText.txt`).
+- Exit code 0: success.
+- Exit code 1: missing license files when `--fail-on-missing` is set, or `node_modules` not found.
+- Throws an error if `node_modules` does not exist.
+- Missing `license` or `repository` fields are flagged in the review file.
+- Paths printed in outputs/logs are shown relative to the current working directory.

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "node-module-license-output",
+  "version": "0.3.0",
+  "description": "Generate third-party-license markdown by scanning licenses in node_modules.",
+  "license": "MIT",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/myooken/collect-node-modules-licenses.git"
+  },
+  "homepage": "https://github.com/myooken/collect-node-modules-licenses#readme",
+  "bugs": {
+    "url": "https://github.com/myooken/collect-node-modules-licenses/issues"
+  },
+  "keywords": [
+    "license",
+    "third-party",
+    "notices",
+    "node_modules",
+    "oss",
+    "compliance",
+    "cli"
+  ],
+  "exports": {
+    ".": "./src/core.js"
+  },
+  "bin": {
+    "third-party-license": "./src/cli.js"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18"
+  }
+}

package/src/cli.js

@@ -0,0 +1,153 @@
+#!/usr/bin/env node
+// CLIエントリーポイント（引数パースとファイル出力を担当）
+import fsp from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { collectThirdPartyLicenses, DEFAULT_OPTIONS } from "./core.js";
+import { LICENSE_FILES_LABEL } from "./constants.js";
+
+// 引数パース: --review / --license は最後に指定されたものを優先し、直後の値があれば出力ファイル名として扱う
+function parseArgs(argv) {
+  const args = { ...DEFAULT_OPTIONS };
+  let outputMode = "both"; // "both" | "review" | "license"
+
+  for (let i = 0; i < argv.length; i += 1) {
+    const a = argv[i];
+    if (a === "--node-modules" || a === "--nodeModules") {
+      const dir = optionalValue(argv, i + 1);
+      if (dir) {
+        args.nodeModules = dir;
+        i += 1;
+      }
+    } else if (a === "--review") {
+      outputMode = "review";
+      const file = optionalValue(argv, i + 1);
+      if (file) {
+        args.reviewFile = file;
+        i += 1;
+      }
+    } else if (a === "--license") {
+      outputMode = "license";
+      const file = optionalValue(argv, i + 1);
+      if (file) {
+        args.outFile = file;
+        i += 1;
+      }
+    } else if (a === "--recreate") {
+      args.mode = "recreate";
+    } else if (a === "--update") {
+      args.mode = "update";
+    } else if (a === "--fail-on-missing") {
+      args.failOnMissing = true;
+    } else if (a === "-h" || a === "--help") {
+      showHelp();
+      process.exit(0);
+    }
+  }
+  applyOutputMode(outputMode, args);
+  return args;
+}
+
+// オプションの直後にファイル名があれば取得（次のトークンが別オプションなら無視）
+function optionalValue(argv, idx) {
+  const v = argv[idx];
+  if (!v) return null;
+  return v.startsWith("-") ? null : v;
+}
+
+// 生成対象をまとめて決定（両方／レビューのみ／ライセンスのみ）
+function applyOutputMode(mode, args) {
+  if (mode === "review") {
+    args.writeMain = false;
+    args.writeReview = true;
+  } else if (mode === "license") {
+    args.writeMain = true;
+    args.writeReview = false;
+  } else {
+    args.writeMain = true;
+    args.writeReview = true;
+  }
+}
+
+function showHelp() {
+  console.log(`Usage:
+  third-party-license [--node-modules <dir>] [--review [file]] [--license [file]] [--recreate|--update] [--fail-on-missing]
+`);
+}
+
+async function ensureParentDir(filePath) {
+  const dir = path.dirname(filePath);
+  await fsp.mkdir(dir, { recursive: true });
+}
+
+export async function runCli(argv = process.argv.slice(2)) {
+  const args = parseArgs(argv);
+
+  try {
+    const result = await collectThirdPartyLicenses(args);
+
+    const dirsToEnsure = [];
+    if (result.options.writeMain)
+      dirsToEnsure.push(ensureParentDir(result.options.outFile));
+    if (result.options.writeReview) {
+      dirsToEnsure.push(ensureParentDir(result.options.reviewFile));
+    }
+    await Promise.all(dirsToEnsure);
+
+    const writeTasks = [];
+    if (result.options.writeMain) {
+      writeTasks.push(
+        fsp.writeFile(result.options.outFile, result.mainContent, "utf8")
+      );
+    }
+    if (result.options.writeReview) {
+      writeTasks.push(
+        fsp.writeFile(result.options.reviewFile, result.reviewContent, "utf8")
+      );
+    }
+    await Promise.all(writeTasks);
+
+    if (result.options.writeMain)
+      console.log(
+        `Generated: ${result.options.outFileDisplay ?? result.options.outFile}`
+      );
+    if (result.options.writeReview)
+      console.log(
+        `Review:    ${
+          result.options.reviewFileDisplay ?? result.options.reviewFile
+        }`
+      );
+    console.log(`Packages:  ${result.stats.packages}`);
+    console.log(
+      `Missing ${LICENSE_FILES_LABEL}: ${result.stats.missingFiles.length}`
+    );
+
+    if (result.stats.missingFiles.length > 0 && result.options.failOnMissing) {
+      process.exitCode = 1;
+    }
+  } catch (e) {
+    console.error(e?.stack || String(e));
+    process.exit(2);
+  }
+}
+
+function isCliExecution() {
+  // npmの .bin シム経由でも動作するように、実ファイル一致と .bin 配下を許可
+  const argv1 = process.argv[1];
+  if (!argv1) return false;
+  const self = fileURLToPath(import.meta.url);
+  const resolvedArg = path.resolve(argv1);
+  if (resolvedArg === self) return true;
+
+  const base = path.basename(resolvedArg).toLowerCase();
+  if (base === "third-party-license" || base === "third-party-license.cmd") {
+    return true;
+  }
+  if (resolvedArg.includes(`${path.sep}.bin${path.sep}`)) return true;
+  return false;
+}
+
+if (isCliExecution()) {
+  // eslint-disable-next-line unicorn/prefer-top-level-await
+  runCli();
+}

package/src/constants.js

@@ -0,0 +1,20 @@
+// デフォルト値と定数群
+export const DEFAULT_OPTIONS = {
+  nodeModules: "node_modules",
+  outFile: "THIRD-PARTY-LICENSE.md",
+  reviewFile: "THIRD-PARTY-LICENSE-REVIEW.md",
+  failOnMissing: false,
+  mode: "recreate", // "recreate" | "update"
+};
+
+// ライセンスらしいファイル名を検出する正規表現
+const LICENSE_LIKE_BASE =
+  "(LICEN[CS]E|COPYING|COPYRIGHT|NOTICE|THIRD[-_. ]?PARTY[-_. ]?(?:NOTICES?|NOTICE[-_. ]?TEXTS?|TEXTS?|LICENSES?))";
+
+export const LICENSE_LIKE_RE = new RegExp(
+  `^${LICENSE_LIKE_BASE}(\\..*)?$|^${LICENSE_LIKE_BASE}-`,
+  "i"
+);
+
+export const LICENSE_FILES_LABEL =
+  "LICENSE/NOTICE/COPYRIGHT/THIRD-PARTY-NOTICES/THIRD-PARTY-LICENSES/ThirdPartyNoticeText/ThirdPartyText/COPYING";

package/src/core.js

@@ -0,0 +1,167 @@
+import fsp from "node:fs/promises";
+import path from "node:path";
+import { DEFAULT_OPTIONS } from "./constants.js";
+import { gatherPackages } from "./scan.js";
+import { renderMain, renderReview } from "./render.js";
+import { makeAnchorId, uniqSorted } from "./fs-utils.js";
+import {
+  parseExistingMainFile,
+  parseExistingReviewFile,
+} from "./existing.js";
+
+// Default warning handler (prints to console)
+const defaultWarn = (msg) => {
+  console.warn(`warning: ${msg}`);
+};
+
+// Public API: scan licenses and render markdown
+export async function collectThirdPartyLicenses(options = {}) {
+  const opts = normalizeOptions(options);
+  await assertNodeModulesExists(opts.nodeModules); // fail fast when node_modules is missing
+
+  const scanResult = await gatherPackages(opts);
+  const presentPackages = withPresentUsage(scanResult.packages);
+
+  const packages =
+    opts.mode === "update"
+      ? await mergeWithExistingOutputs(presentPackages, opts)
+      : presentPackages;
+
+  const sortedPackages = sortPackages(packages);
+
+  const mainContent = renderMain(sortedPackages, opts);
+  const reviewContent = renderReview(
+    sortedPackages,
+    opts,
+    scanResult.missingFiles,
+    scanResult.missingSource,
+    scanResult.missingLicenseField
+  );
+
+  return {
+    mainContent,
+    reviewContent,
+    options: opts,
+    stats: {
+      packages: scanResult.seenCount,
+      missingFiles: uniqSorted(scanResult.missingFiles),
+      missingSource: uniqSorted(scanResult.missingSource),
+      missingLicenseField: uniqSorted(scanResult.missingLicenseField),
+    },
+  };
+}
+
+export { DEFAULT_OPTIONS } from "./constants.js";
+
+function normalizeOptions(options) {
+  const cwd = process.cwd();
+  const nodeModules = path.resolve(
+    options.nodeModules ?? DEFAULT_OPTIONS.nodeModules
+  );
+  const outFile = path.resolve(options.outFile ?? DEFAULT_OPTIONS.outFile);
+  const reviewFile = path.resolve(
+    options.reviewFile ?? DEFAULT_OPTIONS.reviewFile
+  );
+
+  return {
+    nodeModules,
+    outFile,
+    reviewFile,
+    nodeModulesDisplay: makeDisplayPath(nodeModules, cwd),
+    outFileDisplay: makeDisplayPath(outFile, cwd),
+    reviewFileDisplay: makeDisplayPath(reviewFile, cwd),
+    failOnMissing: Boolean(
+      options.failOnMissing ?? DEFAULT_OPTIONS.failOnMissing
+    ),
+    writeMain: options.writeMain ?? true,
+    writeReview: options.writeReview ?? true,
+    warn: options.onWarn ?? defaultWarn,
+    mode: normalizeMode(options.mode),
+  };
+}
+
+function normalizeMode(mode) {
+  const m = typeof mode === "string" ? mode.toLowerCase() : "";
+  return m === "update" ? "update" : DEFAULT_OPTIONS.mode;
+}
+
+function makeDisplayPath(targetPath, cwd) {
+  const rel = path.relative(cwd, targetPath);
+  return rel || ".";
+}
+
+async function assertNodeModulesExists(dir) {
+  const stat = await fsp.stat(dir).catch(() => null);
+  if (!stat || !stat.isDirectory()) {
+    throw new Error(`not found node_modules: ${dir}`);
+  }
+}
+
+function withPresentUsage(packages) {
+  return packages.map((pkg) => ({
+    ...pkg,
+    usage: "present",
+    notes: "",
+  }));
+}
+
+async function mergeWithExistingOutputs(currentPackages, opts) {
+  const [existingMain, existingReview] = await Promise.all([
+    parseExistingMainFile(opts.outFile),
+    parseExistingReviewFile(opts.reviewFile),
+  ]);
+
+  // Start with previously known packages as "missing" (not found in this scan)
+  const merged = new Map();
+  for (const [key, prevReview] of existingReview.entries()) {
+    const prevMain = existingMain.get(key);
+    merged.set(key, toMissingPackage(key, prevMain, prevReview));
+  }
+  for (const [key, prevMain] of existingMain.entries()) {
+    if (!merged.has(key)) {
+      merged.set(key, toMissingPackage(key, prevMain, null));
+    }
+  }
+
+  // Override with current scan (present in node_modules), keeping previous notes when available
+  for (const pkg of currentPackages) {
+    const prevReview = existingReview.get(pkg.key);
+    merged.set(pkg.key, toPresentPackage(pkg, prevReview));
+  }
+
+  return [...merged.values()];
+}
+
+function toPresentPackage(pkg, prevReview) {
+  return {
+    ...pkg,
+    usage: "present",
+    notes: prevReview?.notes ?? "",
+  };
+}
+
+function toMissingPackage(key, prevMain, prevReview) {
+  return {
+    key,
+    anchor: makeAnchorId(key),
+    source: prevMain?.source ?? prevReview?.source ?? null,
+    license: prevMain?.license ?? prevReview?.license ?? null,
+    fileNames: deriveFileNames(prevMain, prevReview),
+    flags: [],
+    licenseTexts: prevMain?.licenseTexts ?? [],
+    usage: "missing",
+    notes: prevReview?.notes ?? "",
+  };
+}
+
+function deriveFileNames(prevMain, prevReview) {
+  const names =
+    (prevMain?.fileNames && prevMain.fileNames.length > 0
+      ? prevMain.fileNames
+      : prevReview?.fileNames) ?? [];
+  return uniqSorted(names);
+}
+
+function sortPackages(packages) {
+  return [...packages].sort((a, b) => a.key.localeCompare(b.key));
+}

package/src/existing.js

@@ -0,0 +1,168 @@
+import fsp from "node:fs/promises";
+import { makeAnchorId, uniqSorted } from "./fs-utils.js";
+import { LICENSE_FILES_LABEL } from "./constants.js";
+
+export async function parseExistingMainFile(filePath) {
+  const content = await readFileSafe(filePath);
+  if (!content) return new Map();
+
+  const map = new Map();
+  for (const { key, body } of splitPackageBlocks(content)) {
+    map.set(key, parseMainBlock(key, body));
+  }
+  return map;
+}
+
+export async function parseExistingReviewFile(filePath) {
+  const content = await readFileSafe(filePath);
+  if (!content) return new Map();
+
+  const map = new Map();
+  for (const { key, body } of splitPackageBlocks(content)) {
+    map.set(key, parseReviewBlock(key, body));
+  }
+  return map;
+}
+
+async function readFileSafe(filePath) {
+  try {
+    return await fsp.readFile(filePath, "utf8");
+  } catch {
+    return null;
+  }
+}
+
+function splitPackageBlocks(content) {
+  const blocks = [];
+  const headingRe = /^##\s+(.+)$/gm;
+  let match;
+  let current = null;
+
+  while ((match = headingRe.exec(content))) {
+    if (current) {
+      blocks.push({
+        key: current.key,
+        body: content.slice(current.start, match.index),
+      });
+    }
+    current = { key: match[1].trim(), start: match.index };
+  }
+
+  if (current) {
+    blocks.push({
+      key: current.key,
+      body: content.slice(current.start),
+    });
+  }
+
+  return blocks;
+}
+
+function parseMainBlock(key, body) {
+  const source = pickLine(body, /^- Source:\s*(.+)$/m);
+  const license = pickLine(body, /^- License:\s*(.+)$/m);
+  const usage = pickLine(body, /^- Usage:\s*(.+)$/m);
+
+  const licenseTexts = [];
+  const licRe = /###\s+(.+?)\s*\r?\n```text\r?\n([\s\S]*?)```/g;
+  let licMatch;
+  while ((licMatch = licRe.exec(body))) {
+    licenseTexts.push({
+      name: licMatch[1].trim(),
+      text: licMatch[2],
+    });
+  }
+
+  const fileNames = [];
+  for (const m of body.matchAll(/^- (.+)$/gm)) {
+    const val = m[1].trim();
+    if (
+      val.startsWith("Source:") ||
+      val.startsWith("License:") ||
+      val.startsWith("Usage:")
+    ) {
+      continue;
+    }
+    if (
+      val.startsWith("(no LICENSE/NOTICE/COPYING files)") ||
+      val.startsWith(`(no ${LICENSE_FILES_LABEL} files)`)
+    ) {
+      continue;
+    }
+    fileNames.push(val);
+  }
+
+  const derivedNames =
+    fileNames.length > 0 ? fileNames : licenseTexts.map((x) => x.name);
+
+  return {
+    key,
+    anchor: makeAnchorId(key),
+    source: source || null,
+    license: license || null,
+    fileNames: uniqSorted(derivedNames),
+    flags: [],
+    licenseTexts,
+    usage: usage || "",
+    notes: "",
+  };
+}
+
+function parseReviewBlock(key, body) {
+  const source = pickLine(body, /^- Source:\s*(.+)$/m);
+  const license = pickLine(body, /^- License:\s*(.+)$/m);
+
+  const lines = body.split(/\r?\n/);
+  const fileNames = [];
+
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    if (!line.startsWith("- Files:")) continue;
+
+    let j = i + 1;
+    while (j < lines.length && lines[j].startsWith("  -")) {
+      fileNames.push(lines[j].replace(/^  -\s*/, ""));
+      j += 1;
+    }
+    i = j - 1;
+  }
+
+  let notes = "";
+  const notesIdx = lines.findIndex((l) => l.startsWith("- Notes:"));
+  if (notesIdx !== -1) {
+    const noteLines = [];
+    for (let i = notesIdx + 1; i < lines.length; i += 1) {
+      const line = lines[i];
+      if (line.startsWith("## ")) break;
+      if (line.startsWith("- ")) break;
+      if (line.startsWith("---")) break;
+      if (line.startsWith("  ")) {
+        noteLines.push(line.slice(2));
+        continue;
+      }
+      if (line.trim() === "") {
+        noteLines.push("");
+        continue;
+      }
+      break;
+    }
+    notes = noteLines.join("\n").replace(/\s+$/, "");
+  }
+
+  return {
+    key,
+    anchor: makeAnchorId(key),
+    source: source || null,
+    license: license || null,
+    fileNames: uniqSorted(fileNames),
+    flags: [],
+    licenseTexts: [],
+    usage: "",
+    notes,
+  };
+}
+
+function pickLine(body, re) {
+  const m = body.match(re);
+  return m ? m[1].trim() : "";
+}

package/src/fs-utils.js

@@ -0,0 +1,114 @@
+import fsp from "node:fs/promises";
+import path from "node:path";
+import { LICENSE_LIKE_RE } from "./constants.js";
+
+// 文字コードを判定しつつ文字列へデコードする
+export function decodeSmart(buf) {
+  if (buf.length >= 2) {
+    const b0 = buf[0];
+    const b1 = buf[1];
+    if (b0 === 0xff && b1 === 0xfe) {
+      return new TextDecoder("utf-16le").decode(buf.subarray(2));
+    }
+    if (b0 === 0xfe && b1 === 0xff) {
+      const be = buf.subarray(2);
+      const swapped = Buffer.allocUnsafe(be.length);
+      for (let i = 0; i + 1 < be.length; i += 2) {
+        swapped[i] = be[i + 1];
+        swapped[i + 1] = be[i];
+      }
+      return new TextDecoder("utf-16le").decode(swapped);
+    }
+  }
+  if (
+    buf.length >= 3 &&
+    buf[0] === 0xef &&
+    buf[1] === 0xbb &&
+    buf[2] === 0xbf
+  ) {
+    return new TextDecoder("utf-8").decode(buf.subarray(3));
+  }
+
+  try {
+    return new TextDecoder("utf-8", { fatal: true }).decode(buf);
+  } catch {
+    return new TextDecoder("latin1").decode(buf);
+  }
+}
+
+// LICENSE/NOTICE などのライセンス系ファイルを探す
+export async function getLicenseLikeFilesInFolderRoot(pkgDir) {
+  try {
+    const ents = await fsp.readdir(pkgDir, { withFileTypes: true });
+    return ents
+      .filter((e) => e.isFile() && LICENSE_LIKE_RE.test(e.name))
+      .map((e) => path.join(pkgDir, e.name))
+      .sort((a, b) => path.basename(a).localeCompare(path.basename(b)));
+  } catch {
+    return [];
+  }
+}
+
+// package.json を深さ優先で探す（node_modules/.bin は除外）
+export async function* walkForPackageJson(rootDir) {
+  const stack = [rootDir];
+
+  while (stack.length) {
+    const dir = stack.pop();
+    if (!dir) continue;
+
+    let ents;
+    try {
+      ents = await fsp.readdir(dir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+
+    for (const e of ents) {
+      const full = path.join(dir, e.name);
+      if (e.isDirectory()) {
+        if (e.name === ".bin") continue;
+        stack.push(full);
+        continue;
+      }
+      if (e.isFile() && e.name === "package.json") {
+        if (full.includes(`${path.sep}.bin${path.sep}`)) continue;
+        yield full;
+      }
+    }
+  }
+}
+
+export async function readPackageJson(pjPath) {
+  try {
+    const txt = await fsp.readFile(pjPath, "utf8");
+    return JSON.parse(txt);
+  } catch {
+    return null;
+  }
+}
+
+// BOM や UTF-16 を考慮してテキストを読み込む
+export async function readTextFileSmart(filePath) {
+  const buf = await fsp.readFile(filePath);
+  return decodeSmart(buf);
+}
+
+export function mdSafeText(s) {
+  return String(s).replace(/```/g, "``\u200b`");
+}
+
+export function uniqSorted(arr) {
+  return [...new Set(arr)].sort();
+}
+
+// アンカー用の安全な ID を作る
+export function makeAnchorId(key) {
+  return (
+    "pkg-" +
+    String(key)
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, "-")
+      .replace(/^-+|-+$/g, "")
+  );
+}

package/src/render.js

@@ -0,0 +1,128 @@
+import os from "node:os";
+import path from "node:path";
+import { mdSafeText, uniqSorted } from "./fs-utils.js";
+import { LICENSE_FILES_LABEL } from "./constants.js";
+
+// メインのTHIRD-PARTY-LICENSE.mdを描画する
+export function renderMain(packages, opts) {
+  const lines = [];
+  const push = (s = "") => lines.push(s);
+
+  push("# Third-Party Licenses");
+  push("");
+  push(`Generated from: ${opts.nodeModulesDisplay ?? opts.nodeModules}`);
+  push("");
+
+  for (const pkg of packages) {
+    push(`<a id="${pkg.anchor}"></a>`);
+    push(`## ${pkg.key}`);
+    push(`- Source: ${pkg.source ?? "(missing)"}`);
+    push(`- License: ${pkg.license ?? "(missing)"}`);
+    push(`- Usage: ${describeUsage(pkg.usage)}`);
+
+    const fileNames = pkg.fileNames ?? [];
+    if (fileNames.length === 0) {
+      push(`- (no ${LICENSE_FILES_LABEL} files)`);
+      push("");
+      push(`_No ${LICENSE_FILES_LABEL} file found in package directory._`);
+      push("");
+      continue;
+    }
+
+    for (const n of fileNames) push(`- ${n}`);
+    push("");
+
+    for (const lic of pkg.licenseTexts ?? []) {
+      push(`### ${lic.name}`);
+      push("```text");
+      push(mdSafeText(lic.text).replace(/\s+$/, ""));
+      push("```");
+      push("");
+    }
+  }
+
+  return lines.join(os.EOL) + os.EOL;
+}
+
+// レビューファイルを描画する
+export function renderReview(
+  packages,
+  opts,
+  missingFiles,
+  missingSource,
+  missingLicenseField
+) {
+  const lines = [];
+  const push = (s = "") => lines.push(s);
+  const mainPath = makeMainLinkPath(opts);
+
+  push("# THIRD-PARTY-LICENSE-REVIEW");
+  push("");
+  push(`Generated from: ${opts.nodeModulesDisplay ?? opts.nodeModules}`);
+  push(`Main file: ${mainPath}`);
+  push("");
+
+  for (const it of [...packages].sort((a, b) => a.key.localeCompare(b.key))) {
+    push(`## ${it.key}`);
+    push(`- Main: ${mainPath}#${it.anchor}`);
+    push(`- Source: ${it.source ?? "(missing)"}`);
+    push(`- License: ${it.license ?? "(missing)"}`);
+
+    push("- Files:");
+    const fileNames = it.fileNames ?? [];
+    if (fileNames.length === 0) {
+      push("  - (none)");
+    } else {
+      for (const f of fileNames) push(`  - ${f}`);
+    }
+
+    const statusParts = [describeUsage(it.usage), ...(it.flags ?? [])].filter(
+      Boolean
+    );
+    const status =
+      statusParts.length === 0 ? "Check manually" : statusParts.join(" / ");
+    push(`- Status: ${status}`);
+
+    push("- Notes:");
+    if (it.notes && it.notes.length > 0) {
+      for (const line of it.notes.split(/\r?\n/)) {
+        push(`  ${line}`);
+      }
+    }
+    push("");
+  }
+
+  push("---");
+  push("");
+  push("## Missing summary");
+  push("");
+
+  const writeList = (title, arr) => {
+    push(`### ${title}`);
+    push("");
+    const xs = uniqSorted(arr);
+    if (xs.length === 0) push("- (none)");
+    else for (const x of xs) push(`- ${x}`);
+    push("");
+  };
+
+  writeList("Missing Source", missingSource);
+  writeList("Missing package.json license field", missingLicenseField);
+  writeList(`Missing ${LICENSE_FILES_LABEL} files`, missingFiles);
+
+  return lines.join(os.EOL) + os.EOL;
+}
+
+function makeMainLinkPath(opts) {
+  const baseDir = path.dirname(opts.reviewFile);
+  const rel = path.relative(baseDir, opts.outFile);
+  const normalized = rel.replace(/\\/g, "/");
+  return normalized || path.basename(opts.outFile);
+}
+
+function describeUsage(usage) {
+  if (usage === "missing") {
+    return "Not found in node_modules (kept from previous output)";
+  }
+  return "Present in node_modules";
+}

package/src/scan.js

@@ -0,0 +1,135 @@
+import path from "node:path";
+import {
+  getLicenseLikeFilesInFolderRoot,
+  makeAnchorId,
+  readPackageJson,
+  readTextFileSmart,
+  uniqSorted,
+  walkForPackageJson,
+} from "./fs-utils.js";
+import { getRepositoryUrl } from "./url.js";
+import { LICENSE_FILES_LABEL } from "./constants.js";
+
+// node_modules を走査してパッケージ情報を集約する
+export async function gatherPackages(opts) {
+  const missingFiles = [];
+  const missingSource = [];
+  const missingLicenseField = [];
+  const packages = [];
+  const seen = new Set();
+
+  for await (const pj of walkForPackageJson(opts.nodeModules)) {
+    const pkgDir = path.dirname(pj);
+    const pkg = await readPackageJson(pj);
+    if (!pkg) continue;
+
+    const name =
+      typeof pkg.name === "string" && pkg.name.trim().length > 0
+        ? pkg.name.trim()
+        : "";
+    const version =
+      typeof pkg.version === "string" && pkg.version.trim().length > 0
+        ? pkg.version.trim()
+        : "";
+    if (!name || !version) continue;
+
+    const key = `${name}@${version}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+
+    const anchor = makeAnchorId(key);
+    const source = getRepositoryUrl(pkg);
+    const license = formatLicense(pkg.license); // 文字列/オブジェクト/配列すべてを受け付ける
+
+    const flags = [];
+    if (!source) {
+      missingSource.push(key);
+      flags.push("Missing Source");
+      opts.warn(`Unknown source: ${key}`);
+    }
+    if (!license) {
+      missingLicenseField.push(key);
+      flags.push("Missing package.json license");
+      opts.warn(`Missing license in package.json: ${key}`);
+    }
+
+    const licFiles = await getLicenseLikeFilesInFolderRoot(pkgDir);
+    const fileNames = licFiles.map((f) => path.basename(f));
+
+    if (licFiles.length === 0) {
+      missingFiles.push(key);
+      const missingMsg = `Missing ${LICENSE_FILES_LABEL} files`;
+      flags.push(missingMsg);
+      opts.warn(`Missing ${LICENSE_FILES_LABEL} in ${pkgDir} (${key})`);
+    }
+
+    const licenseTexts =
+      licFiles.length > 0
+        ? await Promise.all(
+            licFiles.map(async (filePath) => ({
+              name: path.basename(filePath),
+              text: await readTextFileSmart(filePath),
+            }))
+          )
+        : [];
+
+    packages.push({
+      key,
+      anchor,
+      source,
+      license,
+      fileNames,
+      flags,
+      licenseTexts,
+    });
+  }
+
+  return {
+    packages,
+    missingFiles: uniqSorted(missingFiles),
+    missingSource: uniqSorted(missingSource),
+    missingLicenseField: uniqSorted(missingLicenseField),
+    seenCount: seen.size,
+  };
+}
+
+// license フィールドを人間可読にまとめる（文字列/オブジェクト/配列に対応）
+function formatLicense(raw) {
+  const parts = [];
+
+  const pushMaybe = (v) => {
+    if (typeof v === "string" && v.trim()) parts.push(v.trim());
+  };
+
+  const handleObj = (licObj) => {
+    if (!licObj || typeof licObj !== "object") return;
+    const type =
+      typeof licObj.type === "string" && licObj.type.trim()
+        ? licObj.type.trim()
+        : "";
+    const url =
+      typeof licObj.url === "string" && licObj.url.trim()
+        ? licObj.url.trim()
+        : "";
+    if (type && url) {
+      parts.push(`${type} (${url})`);
+    } else {
+      pushMaybe(type);
+      pushMaybe(url);
+    }
+  };
+
+  if (typeof raw === "string") {
+    pushMaybe(raw);
+  } else if (Array.isArray(raw)) {
+    for (const lic of raw) {
+      if (typeof lic === "string") pushMaybe(lic);
+      else handleObj(lic);
+    }
+  } else {
+    handleObj(raw);
+  }
+
+  if (parts.length === 0) return null;
+  return [...new Set(parts)].join(" | ");
+}

package/src/url.js

@@ -0,0 +1,8 @@
+// package.jsonのrepositoryからURLを取り出す
+export function getRepositoryUrl(pkg) {
+  const repo = pkg?.repository;
+  if (!repo) return null;
+  if (typeof repo === "string") return repo;
+  if (typeof repo === "object" && typeof repo.url === "string") return repo.url;
+  return null;
+}