cwinvestments/memstack-business-licensing

Licensing — Commercial-use license audit from the repo...

Scans a repository for every license that touches the product (deps, vendored code, fonts, assets), then produces a per-package verdict table marking each as Ready, Citation Required, Needs Info, or Not Allowed for commercial use.

Activation

When this skill activates, output:

Licensing — Commercial-use license audit from the repo...

Then execute the protocol below.

Context Guard

| Context | Status | |---------|--------| | User says "license audit", "licensing", "license check" | ACTIVE | | User asks "can I use this commercially?" or "is this safe to ship?" | ACTIVE | | User mentions GPL, AGPL, LGPL, MPL, MIT, BSD, Apache, copyleft | ACTIVE | | User is preparing to ship, sell, or relicense a product | ACTIVE | | User wants security vulnerability scanning | DORMANT — use dependency-audit | | User wants a service contract or NDA | DORMANT — use contract-template |

Common Mistakes

| Mistake | Why It's Wrong | |---------|---------------| | "MIT and GPL are both open source so they're compatible" | Combining MIT into GPL is fine; the reverse forces your code under GPL. Direction matters. | | "We don't distribute, so AGPL doesn't apply" | AGPL §13 triggers on network use. SaaS counts. | | "It's on GitHub so it's free to use" | Public ≠ licensed. No LICENSE file = all rights reserved. | | "Transitive dependencies don't matter" | Your bundle ships every dep in the tree. Copyleft transitives can taint the whole product. | | "License from package.json metadata is authoritative" | The actual LICENSE file in upstream source is authoritative. Metadata is often wrong, missing, or outdated. | | "BSL / SSPL / Elastic / Commons Clause are open source" | They are not OSI-approved and usually restrict commercial hosting or competition. Read the actual terms. |

Disclaimer: Produces a license inventory and risk assessment, not legal advice. License interpretation — especially copyleft scope, "linking", and SaaS triggers — is contested. Engage IP counsel before shipping high-stakes products.

Protocol

Step 1: Confirm the distribution model

Just one question — the verdict logic depends on it:

How is the product distributed?

• A. SaaS / hosted (users access over the network, no binary handed out)
• B. Distributed binary (desktop, mobile, on-prem install, downloadable executable)
• C. Open-source library you publish for others to consume
• D. Internal only (no users outside your organisation)

Default to A if the repo contains web framework code (Next.js, FastAPI, Rails, etc.) and no installer/build target.

Step 2: Scan the repo for every license source

Walk every manifest, lockfile, vendored directory, and asset folder. Never trust a single source — cross-check.

| Stack | Manifest | Discovery command | |-------|----------|-------------------| | Node.js | package.json, package-lock.json, pnpm-lock.yaml, yarn.lock | npm ls --all --json then npx license-checker --json --production | | Python | requirements*.txt, pyproject.toml, Pipfile.lock, poetry.lock | pip-licenses --format=json --with-license-file --with-urls | | Rust | Cargo.toml, Cargo.lock | cargo license --json | | Go | go.mod, go.sum | go-licenses report ./... --template '{{.Name}},{{.LicenseName}},{{.LicenseURL}}' | | Java | pom.xml, build.gradle | mvn license:add-third-party or gradle-license-report | | Ruby | Gemfile, Gemfile.lock | bundle exec license_finder report --format json | | PHP | composer.json, composer.lock | composer licenses --format=json | | .NET | *.csproj, packages.lock.json | dotnet list package --include-transitive + nuget-license | | Container base images | Dockerfile | syft <image> -o spdx-json then read package licenses | | Vendored / submodules | vendor/, third_party/, .gitmodules | walk directories — look for LICENSE, LICENSE.md, COPYING, NOTICE | | Fonts / icons / media | assets/, public/, static/ | check each asset's source license — commonly missed | | Snippets and copy-pasted code | comments, headers | grep -rEin "Copyright|SPDX-License-Identifier" |

For everything found, capture:

| Package | Version | Declared license (manifest) | License file present | Direct/transitive | Source URL |
|---------|---------|----------------------------|---------------------|-------------------|------------|
| react | 18.3.1 | MIT | Yes | direct | github.com/facebook/react |
| ... | ... | ... | ... | ... | ... |

Step 3: Resolve the actual license (don't trust metadata)

For every entry that is HIGH-impact (copyleft candidate, missing license, or version where licenses are known to change), open the upstream LICENSE file and confirm the SPDX identifier.

Watch for license changes between versions:

| Project | Version cut | Old → New | |---------|-------------|-----------| | Elasticsearch | 7.10 → 7.11 | Apache-2.0 → SSPL/Elastic | | Redis | 7.2 → 7.4 | BSD → SSPL/RSAL | | Terraform | 1.5 → 1.6 | MPL-2.0 → BSL | | MongoDB | 4.0 | AGPL → SSPL | | HashiCorp tools | 2023 | MPL-2.0 → BSL | | Sentry | 8.x | BSD → FSL |

Pin to the last compliant version or migrate.

Also check for:

• Dual licensing ("MIT OR Apache-2.0") — pick the option you'll comply with and record the choice
• Commons Clause layered on top of an OSI license — restricts "selling"
• Custom / vendor licenses — read the actual terms verbatim

Step 4: Classify each license

| Class | Examples | Commercial use allowed? | Reach | |-------|----------|------------------------|-------| | Public domain | CC0, Unlicense, WTFPL, 0BSD | Yes — no obligations | None | | Permissive | MIT, BSD-2/3, ISC, Apache-2.0, Zlib | Yes — preserve notice | None | | Weak copyleft | LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0 | Yes with obligations | File-level (MPL) or dynamic-linking carve-out (LGPL) | | Strong copyleft | GPL-2.0, GPL-3.0 | Yes — but derivative works become GPL on distribution | Whole derivative work | | Network copyleft | AGPL-3.0 | Yes — but SaaS triggers source disclosure | Whole derivative work + network use | | Source-available (non-OSI) | BSL, SSPL, Elastic v2, Commons Clause, RSAL, FSL | Restricted — usually no competing hosted service | Per terms | | Creative Commons | CC-BY, CC-BY-SA, CC-BY-NC, CC-BY-ND | NC = no commercial; SA = share-alike; ND = no derivatives | Per variant | | Proprietary / commercial EULA | Vendor SDKs, paid libraries | Per contract | Per contract | | Unknown / no license | No LICENSE file | No — all rights reserved by default | N/A |

Step 5: Apply the verdict per package

For every dependency, run it through the distribution model from Step 1 and assign exactly one verdict:

| Verdict | Symbol | Meaning | |---------|--------|---------| | Ready for commercial use | ✅ | No obligations beyond preserving the existing notice file. Safe to ship. | | Citation / attribution required | 📝 | Commercial use is allowed but the license requires the copyright notice and license text to be reproduced (typically in THIRD_PARTY_LICENSES.md, an About page, or alongside the binary). MIT, BSD, Apache-2.0, ISC, Zlib all fall here when shipped to users. | | More information needed | ❓ | License is unknown, ambiguous, dual-licensed, or version-changed. Cannot ship until resolved. | | Not allowed for commercial use | ❌ | License blocks the chosen distribution model. Must replace, remove, relicense, or buy a commercial exception. |

Verdict rules per distribution model:

| License class | A. SaaS | B. Binary | C. OSS library | D. Internal | |---------------|---------|-----------|----------------|-------------| | Public domain | ✅ | ✅ | ✅ | ✅ | | Permissive (MIT, BSD, Apache, ISC, Zlib) | 📝 | 📝 | 📝 | ✅ | | LGPL | 📝 | 📝 (must allow relinking) | 📝 | ✅ | | MPL-2.0 / EPL-2.0 | 📝 | 📝 (file-level disclosure) | 📝 | ✅ | | GPL-2.0 / GPL-3.0 | 📝 (no distribution = no source disclosure) | ❌ (forces whole product GPL) | ❌ unless your lib is also GPL | ✅ | | AGPL-3.0 | ❌ (network use triggers source disclosure) | ❌ | ❌ unless your lib is AGPL | ✅ | | BSL | ❓ → usually ❌ for SaaS (read additional use grant) | ❓ | ❌ | ✅ | | SSPL | ❌ for SaaS | ❌ | ❌ | ✅ | | Elastic v2 / Commons Clause / RSAL / FSL | ❌ | ❌ | ❌ | ✅ | | CC-BY | 📝 | 📝 | 📝 | ✅ | | CC-BY-SA | 📝 (share-alike on derivatives) | 📝 | ❌ unless your work is also SA | ✅ | | CC-BY-NC | ❌ | ❌ | ❌ | ✅ | | CC-BY-ND | ❌ if modified | ❌ if modified | ❌ if modified | ✅ | | Proprietary EULA | per contract | per contract | per contract | per contract | | Unknown / no license | ❓ → ❌ until resolved | ❓ → ❌ | ❓ → ❌ | ❓ → ❌ |

Step 6: Build the verdict table

This is the primary deliverable. One row per dependency, sorted by verdict severity (❌ → ❓ → 📝 → ✅).

| Package | Version | License | Direct/Trans | Verdict | Required action |
|---------|---------|---------|--------------|---------|----------------|
| ❌ mongodb | 6.0.5 | SSPL-1.0 | direct | ❌ Not allowed for SaaS | Replace with PostgreSQL or buy commercial license |
| ❌ some-lib | 2.1.0 | AGPL-3.0 | direct | ❌ Not allowed for SaaS | Replace with permissive alternative |
| ❓ obscure-pkg | 0.4.2 | (no LICENSE file) | transitive | ❓ Unknown | Open upstream issue; pin or remove until resolved |
| ❓ dual-pkg | 1.2.0 | "MIT OR GPL-3.0" | direct | ❓ Choose | Document MIT election in NOTICE |
| 📝 react | 18.3.1 | MIT | direct | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 fastify | 4.26.0 | MIT | direct | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 lodash | 4.17.21 | MIT | transitive | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 protobufjs | 7.2.5 | BSD-3-Clause | transitive | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md |
| 📝 fonts/inter | — | OFL-1.1 | asset | 📝 Citation required | Include OFL.txt in assets/fonts/ |
| ✅ classnames | 2.5.1 | MIT | transitive | ✅ Ready | (already in attribution bundle) |
| ✅ public-domain-pkg | 1.0.0 | CC0-1.0 | direct | ✅ Ready | None |

Step 7: Generate the attribution bundle

For every 📝 row, the user needs a THIRD_PARTY_LICENSES.md (or NOTICES.txt) shipped alongside the product. Offer to generate it:

# Third-Party Licenses

This product includes the following third-party software:

## react v18.3.1
**License:** MIT
**Source:** https://github.com/facebook/react
**Copyright:** Copyright (c) Meta Platforms, Inc. and affiliates.

[Full MIT license text verbatim]

---

## next-package vA.B.C
...

For Apache-2.0 deps, also preserve any upstream NOTICE file content.

Step 8: Produce the report

## License Audit — [Project Name]

**Date:** [YYYY-MM-DD]
**Distribution model:** [A. SaaS / B. Binary / C. Library / D. Internal]
**Project's own license:** [SPDX or "proprietary"]
**Total dependencies analysed:** [N direct + M transitive + K assets]

### Verdict summary
| Verdict | Count |
|---------|-------|
| ❌ Not allowed for commercial use | [N] |
| ❓ More information needed | [N] |
| 📝 Citation / attribution required | [N] |
| ✅ Ready for commercial use | [N] |

### Commercial-use verdict
**[CLEAR TO SHIP / CLEAR WITH CITATION OBLIGATIONS / BLOCKED]**

[2–3 sentences explaining the verdict and naming the specific blockers if any.]

### Full verdict table
[Table from Step 6]

### Required attribution bundle
[Either inline THIRD_PARTY_LICENSES.md content, or a list of packages that must appear in it]

### Remediation plan (priority order)
1. **❌ [Blocker]** — [package] — [replace with X / remove feature Y / buy license / quarantine]
2. **❓ [Unknown]** — [package] — [investigation step]
3. **📝 [Attribution gap]** — [add to THIRD_PARTY_LICENSES.md]

### Recommended next steps
1. Resolve every ❌ before shipping
2. Resolve every ❓ before shipping
3. Generate / update `THIRD_PARTY_LICENSES.md` and ship with the product
4. Add an automated license check to CI to catch new dependencies
5. Re-run this audit before each release
6. Have IP counsel review if any BSL/SSPL/AGPL/unknown findings remain

Output Format

Deliver the Step 8 report as markdown. Save under docs/compliance/license-audit.md if a project layout is available. Save the generated attribution bundle as THIRD_PARTY_LICENSES.md at the repo root. Include the exact discovery commands you ran in an appendix so the user can reproduce.

Completion

Licensing — Audit complete!

Distribution model: [A / B / C / D]
Dependencies analysed: [N direct + M transitive + K assets]
❌ Blocked: [N]
❓ Unknown: [N]
📝 Citation required: [N]
✅ Ready: [N]
Verdict: [CLEAR / CLEAR WITH OBLIGATIONS / BLOCKED]

Next steps:
1. Resolve every ❌ before shipping
2. Resolve every ❓ before shipping
3. Ship THIRD_PARTY_LICENSES.md alongside the product
4. Add license check to CI
5. Have IP counsel review high-risk findings

Level History

• Lv.1 — Base: distribution-model question, multi-language repo scan (Node/Python/Rust/Go/Java/Ruby/PHP/.NET/containers/vendored/assets), upstream LICENSE verification, version-change traps (Elastic/Mongo/Redis/Terraform/Sentry/HashiCorp), 9-class taxonomy, 4-verdict system (✅ Ready / 📝 Citation / ❓ Needs info / ❌ Not allowed), distribution-model verdict matrix, primary verdict table, attribution bundle generator, full report with summary counts and remediation plan. (Origin: MemStack Pro v3.6, Apr 2026)