npx claudepluginhub cwinvestments/memstack --plugin memstackThis skill uses the workspace's default tool permissions.
*Scans a repository for every license that touches the product (deps, vendored code, fonts, assets), then produces a per-package verdict table marking each as Ready, Citation Required, Needs Info, or Not Allowed for commercial use.*
Performs interactive open-source license compliance audits: identifies dependency licenses from manifests like package.json and pyproject.toml, flags risks, detects incompatibilities based on project license and risk tolerance.
Guides open source license compliance: evaluates dependencies, analyzes compatibility between licenses, tracks obligations, and supports attribution and workflows for distribution.
Audits package dependency licenses in Dart/Flutter projects using Very Good CLI packages_check_licenses tool. Flags non-compliant/unknown licenses and generates compliance reports.
Share bugs, ideas, or general feedback.
Scans a repository for every license that touches the product (deps, vendored code, fonts, assets), then produces a per-package verdict table marking each as Ready, Citation Required, Needs Info, or Not Allowed for commercial use.
When this skill activates, output:
Licensing — Commercial-use license audit from the repo...
Then execute the protocol below.
| Context | Status |
|---|---|
| User says "license audit", "licensing", "license check" | ACTIVE |
| User asks "can I use this commercially?" or "is this safe to ship?" | ACTIVE |
| User mentions GPL, AGPL, LGPL, MPL, MIT, BSD, Apache, copyleft | ACTIVE |
| User is preparing to ship, sell, or relicense a product | ACTIVE |
| User wants security vulnerability scanning | DORMANT — use dependency-audit |
| User wants a service contract or NDA | DORMANT — use contract-template |
| Mistake | Why It's Wrong |
|---|---|
| "MIT and GPL are both open source so they're compatible" | Combining MIT into GPL is fine; the reverse forces your code under GPL. Direction matters. |
| "We don't distribute, so AGPL doesn't apply" | AGPL §13 triggers on network use. SaaS counts. |
| "It's on GitHub so it's free to use" | Public ≠ licensed. No LICENSE file = all rights reserved. |
| "Transitive dependencies don't matter" | Your bundle ships every dep in the tree. Copyleft transitives can taint the whole product. |
| "License from package.json metadata is authoritative" | The actual LICENSE file in upstream source is authoritative. Metadata is often wrong, missing, or outdated. |
| "BSL / SSPL / Elastic / Commons Clause are open source" | They are not OSI-approved and usually restrict commercial hosting or competition. Read the actual terms. |
Disclaimer: Produces a license inventory and risk assessment, not legal advice. License interpretation — especially copyleft scope, "linking", and SaaS triggers — is contested. Engage IP counsel before shipping high-stakes products.
Just one question — the verdict logic depends on it:
How is the product distributed?
- A. SaaS / hosted (users access over the network, no binary handed out)
- B. Distributed binary (desktop, mobile, on-prem install, downloadable executable)
- C. Open-source library you publish for others to consume
- D. Internal only (no users outside your organisation)
Default to A if the repo contains web framework code (Next.js, FastAPI, Rails, etc.) and no installer/build target.
Walk every manifest, lockfile, vendored directory, and asset folder. Never trust a single source — cross-check.
| Stack | Manifest | Discovery command |
|---|---|---|
| Node.js | package.json, package-lock.json, pnpm-lock.yaml, yarn.lock | npm ls --all --json then npx license-checker --json --production |
| Python | requirements*.txt, pyproject.toml, Pipfile.lock, poetry.lock | pip-licenses --format=json --with-license-file --with-urls |
| Rust | Cargo.toml, Cargo.lock | cargo license --json |
| Go | go.mod, go.sum | go-licenses report ./... --template '{{.Name}},{{.LicenseName}},{{.LicenseURL}}' |
| Java | pom.xml, build.gradle | mvn license:add-third-party or gradle-license-report |
| Ruby | Gemfile, Gemfile.lock | bundle exec license_finder report --format json |
| PHP | composer.json, composer.lock | composer licenses --format=json |
| .NET | *.csproj, packages.lock.json | dotnet list package --include-transitive + nuget-license |
| Container base images | Dockerfile | syft <image> -o spdx-json then read package licenses |
| Vendored / submodules | vendor/, third_party/, .gitmodules | walk directories — look for LICENSE, LICENSE.md, COPYING, NOTICE |
| Fonts / icons / media | assets/, public/, static/ | check each asset's source license — commonly missed |
| Snippets and copy-pasted code | comments, headers | `grep -rEin "Copyright |
For everything found, capture:
| Package | Version | Declared license (manifest) | License file present | Direct/transitive | Source URL |
|---------|---------|----------------------------|---------------------|-------------------|------------|
| react | 18.3.1 | MIT | Yes | direct | github.com/facebook/react |
| ... | ... | ... | ... | ... | ... |
For every entry that is HIGH-impact (copyleft candidate, missing license, or version where licenses are known to change), open the upstream LICENSE file and confirm the SPDX identifier.
Watch for license changes between versions:
| Project | Version cut | Old → New |
|---|---|---|
| Elasticsearch | 7.10 → 7.11 | Apache-2.0 → SSPL/Elastic |
| Redis | 7.2 → 7.4 | BSD → SSPL/RSAL |
| Terraform | 1.5 → 1.6 | MPL-2.0 → BSL |
| MongoDB | 4.0 | AGPL → SSPL |
| HashiCorp tools | 2023 | MPL-2.0 → BSL |
| Sentry | 8.x | BSD → FSL |
Pin to the last compliant version or migrate.
Also check for:
| Class | Examples | Commercial use allowed? | Reach |
|---|---|---|---|
| Public domain | CC0, Unlicense, WTFPL, 0BSD | Yes — no obligations | None |
| Permissive | MIT, BSD-2/3, ISC, Apache-2.0, Zlib | Yes — preserve notice | None |
| Weak copyleft | LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0 | Yes with obligations | File-level (MPL) or dynamic-linking carve-out (LGPL) |
| Strong copyleft | GPL-2.0, GPL-3.0 | Yes — but derivative works become GPL on distribution | Whole derivative work |
| Network copyleft | AGPL-3.0 | Yes — but SaaS triggers source disclosure | Whole derivative work + network use |
| Source-available (non-OSI) | BSL, SSPL, Elastic v2, Commons Clause, RSAL, FSL | Restricted — usually no competing hosted service | Per terms |
| Creative Commons | CC-BY, CC-BY-SA, CC-BY-NC, CC-BY-ND | NC = no commercial; SA = share-alike; ND = no derivatives | Per variant |
| Proprietary / commercial EULA | Vendor SDKs, paid libraries | Per contract | Per contract |
| Unknown / no license | No LICENSE file | No — all rights reserved by default | N/A |
For every dependency, run it through the distribution model from Step 1 and assign exactly one verdict:
| Verdict | Symbol | Meaning |
|---|---|---|
| Ready for commercial use | ✅ | No obligations beyond preserving the existing notice file. Safe to ship. |
| Citation / attribution required | 📝 | Commercial use is allowed but the license requires the copyright notice and license text to be reproduced (typically in THIRD_PARTY_LICENSES.md, an About page, or alongside the binary). MIT, BSD, Apache-2.0, ISC, Zlib all fall here when shipped to users. |
| More information needed | ❓ | License is unknown, ambiguous, dual-licensed, or version-changed. Cannot ship until resolved. |
| Not allowed for commercial use | ❌ | License blocks the chosen distribution model. Must replace, remove, relicense, or buy a commercial exception. |
Verdict rules per distribution model:
| License class | A. SaaS | B. Binary | C. OSS library | D. Internal |
|---|---|---|---|---|
| Public domain | ✅ | ✅ | ✅ | ✅ |
| Permissive (MIT, BSD, Apache, ISC, Zlib) | 📝 | 📝 | 📝 | ✅ |
| LGPL | 📝 | 📝 (must allow relinking) | 📝 | ✅ |
| MPL-2.0 / EPL-2.0 | 📝 | 📝 (file-level disclosure) | 📝 | ✅ |
| GPL-2.0 / GPL-3.0 | 📝 (no distribution = no source disclosure) | ❌ (forces whole product GPL) | ❌ unless your lib is also GPL | ✅ |
| AGPL-3.0 | ❌ (network use triggers source disclosure) | ❌ | ❌ unless your lib is AGPL | ✅ |
| BSL | ❓ → usually ❌ for SaaS (read additional use grant) | ❓ | ❌ | ✅ |
| SSPL | ❌ for SaaS | ❌ | ❌ | ✅ |
| Elastic v2 / Commons Clause / RSAL / FSL | ❌ | ❌ | ❌ | ✅ |
| CC-BY | 📝 | 📝 | 📝 | ✅ |
| CC-BY-SA | 📝 (share-alike on derivatives) | 📝 | ❌ unless your work is also SA | ✅ |
| CC-BY-NC | ❌ | ❌ | ❌ | ✅ |
| CC-BY-ND | ❌ if modified | ❌ if modified | ❌ if modified | ✅ |
| Proprietary EULA | per contract | per contract | per contract | per contract |
| Unknown / no license | ❓ → ❌ until resolved | ❓ → ❌ | ❓ → ❌ | ❓ → ❌ |
This is the primary deliverable. One row per dependency, sorted by verdict severity (❌ → ❓ → 📝 → ✅).
| Package | Version | License | Direct/Trans | Verdict | Required action |
|---------|---------|---------|--------------|---------|----------------|
| ❌ mongodb | 6.0.5 | SSPL-1.0 | direct | ❌ Not allowed for SaaS | Replace with PostgreSQL or buy commercial license |
| ❌ some-lib | 2.1.0 | AGPL-3.0 | direct | ❌ Not allowed for SaaS | Replace with permissive alternative |
| ❓ obscure-pkg | 0.4.2 | (no LICENSE file) | transitive | ❓ Unknown | Open upstream issue; pin or remove until resolved |
| ❓ dual-pkg | 1.2.0 | "MIT OR GPL-3.0" | direct | ❓ Choose | Document MIT election in NOTICE |
| 📝 react | 18.3.1 | MIT | direct | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 fastify | 4.26.0 | MIT | direct | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 lodash | 4.17.21 | MIT | transitive | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 protobufjs | 7.2.5 | BSD-3-Clause | transitive | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 fonts/inter | — | OFL-1.1 | asset | 📝 Citation required | Include OFL.txt in assets/fonts/ |
| ✅ classnames | 2.5.1 | MIT | transitive | ✅ Ready | (already in attribution bundle) |
| ✅ public-domain-pkg | 1.0.0 | CC0-1.0 | direct | ✅ Ready | None |
For every 📝 row, the user needs a THIRD_PARTY_LICENSES.md (or NOTICES.txt) shipped alongside the product. Offer to generate it:
# Third-Party Licenses
This product includes the following third-party software:
## react v18.3.1
**License:** MIT
**Source:** https://github.com/facebook/react
**Copyright:** Copyright (c) Meta Platforms, Inc. and affiliates.
[Full MIT license text verbatim]
---
## next-package vA.B.C
...
For Apache-2.0 deps, also preserve any upstream NOTICE file content.
## License Audit — [Project Name]
**Date:** [YYYY-MM-DD]
**Distribution model:** [A. SaaS / B. Binary / C. Library / D. Internal]
**Project's own license:** [SPDX or "proprietary"]
**Total dependencies analysed:** [N direct + M transitive + K assets]
### Verdict summary
| Verdict | Count |
|---------|-------|
| ❌ Not allowed for commercial use | [N] |
| ❓ More information needed | [N] |
| 📝 Citation / attribution required | [N] |
| ✅ Ready for commercial use | [N] |
### Commercial-use verdict
**[CLEAR TO SHIP / CLEAR WITH CITATION OBLIGATIONS / BLOCKED]**
[2–3 sentences explaining the verdict and naming the specific blockers if any.]
### Full verdict table
[Table from Step 6]
### Required attribution bundle
[Either inline THIRD_PARTY_LICENSES.md content, or a list of packages that must appear in it]
### Remediation plan (priority order)
1. **❌ [Blocker]** — [package] — [replace with X / remove feature Y / buy license / quarantine]
2. **❓ [Unknown]** — [package] — [investigation step]
3. **📝 [Attribution gap]** — [add to THIRD_PARTY_LICENSES.md]
### Recommended next steps
1. Resolve every ❌ before shipping
2. Resolve every ❓ before shipping
3. Generate / update `THIRD_PARTY_LICENSES.md` and ship with the product
4. Add an automated license check to CI to catch new dependencies
5. Re-run this audit before each release
6. Have IP counsel review if any BSL/SSPL/AGPL/unknown findings remain
Deliver the Step 8 report as markdown. Save under docs/compliance/license-audit.md if a project layout is available. Save the generated attribution bundle as THIRD_PARTY_LICENSES.md at the repo root. Include the exact discovery commands you ran in an appendix so the user can reproduce.
Licensing — Audit complete!
Distribution model: [A / B / C / D]
Dependencies analysed: [N direct + M transitive + K assets]
❌ Blocked: [N]
❓ Unknown: [N]
📝 Citation required: [N]
✅ Ready: [N]
Verdict: [CLEAR / CLEAR WITH OBLIGATIONS / BLOCKED]
Next steps:
1. Resolve every ❌ before shipping
2. Resolve every ❓ before shipping
3. Ship THIRD_PARTY_LICENSES.md alongside the product
4. Add license check to CI
5. Have IP counsel review high-risk findings