periapsis 1.0.1 → 1.0.3

package/.github/workflows/periapsis-license-check.yml

@@ -0,0 +1,60 @@
+name: Periapsis License Check
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+
+jobs:
+  periapsis:
+    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run Periapsis policy check
+        id: periapsis
+        continue-on-error: true
+        run: npx periapsis --violations-out sbom-violations.json
+
+      - name: Enforce zero violations
+        if: always()
+        run: |
+          if [ "${{ steps.periapsis.outcome }}" != "success" ]; then
+            echo "Periapsis command failed."
+            exit 1
+          fi
+
+          if [ ! -f sbom-violations.json ]; then
+            echo "sbom-violations.json was not generated."
+            exit 1
+          fi
+
+          VIOLATION_COUNT=$(node -e "const fs=require('fs');const d=JSON.parse(fs.readFileSync('sbom-violations.json','utf8'));const count=Array.isArray(d)?d.length:(Array.isArray(d?.violations)?d.violations.length:0);process.stdout.write(String(count));")
+          echo "Detected violations: ${VIOLATION_COUNT}"
+
+          if [ "${VIOLATION_COUNT}" -gt 0 ]; then
+            echo "License policy violations detected."
+            exit 1
+          fi
+
+      - name: Upload violations report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: periapsis-violations
+          path: sbom-violations.json
+          if-no-files-found: ignore

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "periapsis",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "private": false,
   "type": "module",
   "scripts": {
@@ -30,5 +30,8 @@
     "spdx",
     "cli"
   ],
-  "license": "MIT"
+  "license": "MIT",
+  "devDependencies": {
+    "periapsis": "^1.0.1"
+  }
 }

package/policy/licenses.json

@@ -1 +1,15 @@
-[]
+[
+  {
+    "identifier": "CC-BY-3.0",
+    "category": "Permissive Licenses",
+    "fullName": "CC-BY-3.0",
+    "notes": "allows users to share, adapt, and commercially use, distribute, or remix a work, provided that appropriate credit is given to the original creator. It is a free, irrevocable, and non-exclusive license that requires attribution and a link to the license.",
+    "rationale": "Low risk",
+    "approvedBy": [
+      "Shane Fast"
+    ],
+    "approvedAt": "2026-02-13T22:00:52.348Z",
+    "expiresAt": null,
+    "evidenceRef": "https://creativecommons.org/licenses/by/3.0/deed.en"
+  }
+]

package/sbom-licenses.json

@@ -1,4 +1,89 @@
 [
+  {
+    "name": "ajv",
+    "version": "8.17.1",
+    "license": "MIT",
+    "path": "node_modules/ajv",
+    "repository": "ajv-validator/ajv",
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "ajv-formats",
+    "version": "3.0.1",
+    "license": "MIT",
+    "path": "node_modules/ajv-formats",
+    "repository": {
+      "type": "git",
+      "url": "git+https://github.com/ajv-validator/ajv-formats.git"
+    },
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "fast-deep-equal",
+    "version": "3.1.3",
+    "license": "MIT",
+    "path": "node_modules/fast-deep-equal",
+    "repository": {
+      "type": "git",
+      "url": "git+https://github.com/epoberezkin/fast-deep-equal.git"
+    },
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "fast-uri",
+    "version": "3.1.0",
+    "license": "BSD-3-Clause",
+    "path": "node_modules/fast-uri",
+    "repository": {
+      "type": "git",
+      "url": "git+https://github.com/fastify/fast-uri.git"
+    },
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "json-schema-traverse",
+    "version": "1.0.0",
+    "license": "MIT",
+    "path": "node_modules/json-schema-traverse",
+    "repository": {
+      "type": "git",
+      "url": "git+https://github.com/epoberezkin/json-schema-traverse.git"
+    },
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "periapsis",
+    "version": "1.0.1",
+    "license": "MIT",
+    "path": "node_modules/periapsis",
+    "repository": {
+      "type": "git",
+      "url": "https://github.com/scfast/periapsis"
+    },
+    "dependencyTypes": [
+      "devDependencies"
+    ]
+  },
+  {
+    "name": "require-from-string",
+    "version": "2.0.2",
+    "license": "MIT",
+    "path": "node_modules/require-from-string",
+    "repository": "floatdrop/require-from-string",
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
   {
     "name": "semver",
     "version": "7.7.4",
@@ -7,6 +92,39 @@
     "repository": {
       "type": "git",
       "url": "git+https://github.com/npm/node-semver.git"
-    }
+    },
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "spdx-exceptions",
+    "version": "2.5.0",
+    "license": "CC-BY-3.0",
+    "path": "node_modules/spdx-exceptions",
+    "repository": "kemitchell/spdx-exceptions.json",
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "spdx-expression-parse",
+    "version": "4.0.0",
+    "license": "MIT",
+    "path": "node_modules/spdx-expression-parse",
+    "repository": "jslicense/spdx-expression-parse.js",
+    "dependencyTypes": [
+      "dependencies"
+    ]
+  },
+  {
+    "name": "spdx-license-ids",
+    "version": "3.0.22",
+    "license": "CC0-1.0",
+    "path": "node_modules/spdx-license-ids",
+    "repository": "jslicense/spdx-license-ids",
+    "dependencyTypes": [
+      "dependencies"
+    ]
   }
 ]