--- name: memstack-business-licensing description: "Use this skill when the user says 'licensing', 'license audit', 'can I use this commercially', 'OSS license check', 'license compatibility', 'GPL', 'MIT', 'AGPL', 'copyleft'. Scans the repository for every dependency and asset license, then produces a per-package verdict table: ready for commercial use, citation/attribution required, more information needed, or commercial use not allowed. Do NOT use for vulnerability scanning (use dependency-audit) or contract drafting (use contract-template)." version: 1.0.0 license: "Proprietary — MemStack™ Pro by CW Affiliate Investments LLC. See LICENSE.txt" --- # Licensing — Commercial-use license audit from the repo... *Scans a repository for every license that touches the product (deps, vendored code, fonts, assets), then produces a per-package verdict table marking each as Ready, Citation Required, Needs Info, or Not Allowed for commercial use.* ## Activation When this skill activates, output: `Licensing — Commercial-use license audit from the repo...` Then execute the protocol below. ## Context Guard | Context | Status | |---------|--------| | User says "license audit", "licensing", "license check" | ACTIVE | | User asks "can I use this commercially?" or "is this safe to ship?" | ACTIVE | | User mentions GPL, AGPL, LGPL, MPL, MIT, BSD, Apache, copyleft | ACTIVE | | User is preparing to ship, sell, or relicense a product | ACTIVE | | User wants security vulnerability scanning | DORMANT — use dependency-audit | | User wants a service contract or NDA | DORMANT — use contract-template | ## Common Mistakes | Mistake | Why It's Wrong | |---------|---------------| | "MIT and GPL are both open source so they're compatible" | Combining MIT into GPL is fine; the reverse forces your code under GPL. Direction matters. | | "We don't distribute, so AGPL doesn't apply" | AGPL §13 triggers on *network use*. SaaS counts. | | "It's on GitHub so it's free to use" | Public ≠ licensed. No LICENSE file = all rights reserved. | | "Transitive dependencies don't matter" | Your bundle ships every dep in the tree. Copyleft transitives can taint the whole product. | | "License from package.json metadata is authoritative" | The actual `LICENSE` file in upstream source is authoritative. Metadata is often wrong, missing, or outdated. | | "BSL / SSPL / Elastic / Commons Clause are open source" | They are not OSI-approved and usually restrict commercial hosting or competition. Read the actual terms. | **Disclaimer:** Produces a license inventory and risk assessment, not legal advice. License interpretation — especially copyleft scope, "linking", and SaaS triggers — is contested. Engage IP counsel before shipping high-stakes products. ## Protocol ### Step 1: Confirm the distribution model Just one question — the verdict logic depends on it: > How is the product distributed? > - **A. SaaS / hosted** (users access over the network, no binary handed out) > - **B. Distributed binary** (desktop, mobile, on-prem install, downloadable executable) > - **C. Open-source library** you publish for others to consume > - **D. Internal only** (no users outside your organisation) Default to A if the repo contains web framework code (Next.js, FastAPI, Rails, etc.) and no installer/build target. ### Step 2: Scan the repo for every license source Walk every manifest, lockfile, vendored directory, and asset folder. Never trust a single source — cross-check. | Stack | Manifest | Discovery command | |-------|----------|-------------------| | Node.js | `package.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock` | `npm ls --all --json` then `npx license-checker --json --production` | | Python | `requirements*.txt`, `pyproject.toml`, `Pipfile.lock`, `poetry.lock` | `pip-licenses --format=json --with-license-file --with-urls` | | Rust | `Cargo.toml`, `Cargo.lock` | `cargo license --json` | | Go | `go.mod`, `go.sum` | `go-licenses report ./... --template '{{.Name}},{{.LicenseName}},{{.LicenseURL}}'` | | Java | `pom.xml`, `build.gradle` | `mvn license:add-third-party` or `gradle-license-report` | | Ruby | `Gemfile`, `Gemfile.lock` | `bundle exec license_finder report --format json` | | PHP | `composer.json`, `composer.lock` | `composer licenses --format=json` | | .NET | `*.csproj`, `packages.lock.json` | `dotnet list package --include-transitive` + `nuget-license` | | Container base images | `Dockerfile` | `syft -o spdx-json` then read package licenses | | Vendored / submodules | `vendor/`, `third_party/`, `.gitmodules` | walk directories — look for `LICENSE`, `LICENSE.md`, `COPYING`, `NOTICE` | | Fonts / icons / media | `assets/`, `public/`, `static/` | check each asset's source license — **commonly missed** | | Snippets and copy-pasted code | comments, headers | `grep -rEin "Copyright|SPDX-License-Identifier"` | For everything found, capture: ```markdown | Package | Version | Declared license (manifest) | License file present | Direct/transitive | Source URL | |---------|---------|----------------------------|---------------------|-------------------|------------| | react | 18.3.1 | MIT | Yes | direct | github.com/facebook/react | | ... | ... | ... | ... | ... | ... | ``` ### Step 3: Resolve the actual license (don't trust metadata) For every entry that is HIGH-impact (copyleft candidate, missing license, or version where licenses are known to change), open the upstream `LICENSE` file and confirm the SPDX identifier. Watch for **license changes between versions**: | Project | Version cut | Old → New | |---------|-------------|-----------| | Elasticsearch | 7.10 → 7.11 | Apache-2.0 → SSPL/Elastic | | Redis | 7.2 → 7.4 | BSD → SSPL/RSAL | | Terraform | 1.5 → 1.6 | MPL-2.0 → BSL | | MongoDB | 4.0 | AGPL → SSPL | | HashiCorp tools | 2023 | MPL-2.0 → BSL | | Sentry | 8.x | BSD → FSL | Pin to the last compliant version or migrate. Also check for: - **Dual licensing** ("MIT OR Apache-2.0") — pick the option you'll comply with and record the choice - **Commons Clause** layered on top of an OSI license — restricts "selling" - **Custom / vendor licenses** — read the actual terms verbatim ### Step 4: Classify each license | Class | Examples | Commercial use allowed? | Reach | |-------|----------|------------------------|-------| | **Public domain** | CC0, Unlicense, WTFPL, 0BSD | Yes — no obligations | None | | **Permissive** | MIT, BSD-2/3, ISC, Apache-2.0, Zlib | Yes — preserve notice | None | | **Weak copyleft** | LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0 | Yes with obligations | File-level (MPL) or dynamic-linking carve-out (LGPL) | | **Strong copyleft** | GPL-2.0, GPL-3.0 | Yes — but derivative works become GPL on distribution | Whole derivative work | | **Network copyleft** | AGPL-3.0 | Yes — but SaaS triggers source disclosure | Whole derivative work + network use | | **Source-available (non-OSI)** | BSL, SSPL, Elastic v2, Commons Clause, RSAL, FSL | **Restricted** — usually no competing hosted service | Per terms | | **Creative Commons** | CC-BY, CC-BY-SA, CC-BY-NC, CC-BY-ND | NC = no commercial; SA = share-alike; ND = no derivatives | Per variant | | **Proprietary / commercial EULA** | Vendor SDKs, paid libraries | Per contract | Per contract | | **Unknown / no license** | No LICENSE file | **No — all rights reserved by default** | N/A | ### Step 5: Apply the verdict per package For every dependency, run it through the **distribution model from Step 1** and assign exactly one verdict: | Verdict | Symbol | Meaning | |---------|--------|---------| | **Ready for commercial use** | ✅ | No obligations beyond preserving the existing notice file. Safe to ship. | | **Citation / attribution required** | 📝 | Commercial use is allowed but the license **requires** the copyright notice and license text to be reproduced (typically in `THIRD_PARTY_LICENSES.md`, an About page, or alongside the binary). MIT, BSD, Apache-2.0, ISC, Zlib all fall here when shipped to users. | | **More information needed** | ❓ | License is unknown, ambiguous, dual-licensed, or version-changed. Cannot ship until resolved. | | **Not allowed for commercial use** | ❌ | License blocks the chosen distribution model. Must replace, remove, relicense, or buy a commercial exception. | **Verdict rules per distribution model:** | License class | A. SaaS | B. Binary | C. OSS library | D. Internal | |---------------|---------|-----------|----------------|-------------| | Public domain | ✅ | ✅ | ✅ | ✅ | | Permissive (MIT, BSD, Apache, ISC, Zlib) | 📝 | 📝 | 📝 | ✅ | | LGPL | 📝 | 📝 (must allow relinking) | 📝 | ✅ | | MPL-2.0 / EPL-2.0 | 📝 | 📝 (file-level disclosure) | 📝 | ✅ | | GPL-2.0 / GPL-3.0 | 📝 (no distribution = no source disclosure) | ❌ (forces whole product GPL) | ❌ unless your lib is also GPL | ✅ | | AGPL-3.0 | ❌ (network use triggers source disclosure) | ❌ | ❌ unless your lib is AGPL | ✅ | | BSL | ❓ → usually ❌ for SaaS (read additional use grant) | ❓ | ❌ | ✅ | | SSPL | ❌ for SaaS | ❌ | ❌ | ✅ | | Elastic v2 / Commons Clause / RSAL / FSL | ❌ | ❌ | ❌ | ✅ | | CC-BY | 📝 | 📝 | 📝 | ✅ | | CC-BY-SA | 📝 (share-alike on derivatives) | 📝 | ❌ unless your work is also SA | ✅ | | CC-BY-NC | ❌ | ❌ | ❌ | ✅ | | CC-BY-ND | ❌ if modified | ❌ if modified | ❌ if modified | ✅ | | Proprietary EULA | per contract | per contract | per contract | per contract | | Unknown / no license | ❓ → ❌ until resolved | ❓ → ❌ | ❓ → ❌ | ❓ → ❌ | ### Step 6: Build the verdict table This is the primary deliverable. One row per dependency, sorted by verdict severity (❌ → ❓ → 📝 → ✅). ```markdown | Package | Version | License | Direct/Trans | Verdict | Required action | |---------|---------|---------|--------------|---------|----------------| | ❌ mongodb | 6.0.5 | SSPL-1.0 | direct | ❌ Not allowed for SaaS | Replace with PostgreSQL or buy commercial license | | ❌ some-lib | 2.1.0 | AGPL-3.0 | direct | ❌ Not allowed for SaaS | Replace with permissive alternative | | ❓ obscure-pkg | 0.4.2 | (no LICENSE file) | transitive | ❓ Unknown | Open upstream issue; pin or remove until resolved | | ❓ dual-pkg | 1.2.0 | "MIT OR GPL-3.0" | direct | ❓ Choose | Document MIT election in NOTICE | | 📝 react | 18.3.1 | MIT | direct | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md | | 📝 fastify | 4.26.0 | MIT | direct | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md | | 📝 lodash | 4.17.21 | MIT | transitive | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md | | 📝 protobufjs | 7.2.5 | BSD-3-Clause | transitive | 📝 Citation required | Add to THIRD_PARTY_LICENSES.md | | 📝 fonts/inter | — | OFL-1.1 | asset | 📝 Citation required | Include OFL.txt in assets/fonts/ | | ✅ classnames | 2.5.1 | MIT | transitive | ✅ Ready | (already in attribution bundle) | | ✅ public-domain-pkg | 1.0.0 | CC0-1.0 | direct | ✅ Ready | None | ``` ### Step 7: Generate the attribution bundle For every 📝 row, the user needs a `THIRD_PARTY_LICENSES.md` (or `NOTICES.txt`) shipped alongside the product. Offer to generate it: ```markdown # Third-Party Licenses This product includes the following third-party software: ## react v18.3.1 **License:** MIT **Source:** https://github.com/facebook/react **Copyright:** Copyright (c) Meta Platforms, Inc. and affiliates. [Full MIT license text verbatim] --- ## next-package vA.B.C ... ``` For Apache-2.0 deps, also preserve any upstream `NOTICE` file content. ### Step 8: Produce the report ```markdown ## License Audit — [Project Name] **Date:** [YYYY-MM-DD] **Distribution model:** [A. SaaS / B. Binary / C. Library / D. Internal] **Project's own license:** [SPDX or "proprietary"] **Total dependencies analysed:** [N direct + M transitive + K assets] ### Verdict summary | Verdict | Count | |---------|-------| | ❌ Not allowed for commercial use | [N] | | ❓ More information needed | [N] | | 📝 Citation / attribution required | [N] | | ✅ Ready for commercial use | [N] | ### Commercial-use verdict **[CLEAR TO SHIP / CLEAR WITH CITATION OBLIGATIONS / BLOCKED]** [2–3 sentences explaining the verdict and naming the specific blockers if any.] ### Full verdict table [Table from Step 6] ### Required attribution bundle [Either inline THIRD_PARTY_LICENSES.md content, or a list of packages that must appear in it] ### Remediation plan (priority order) 1. **❌ [Blocker]** — [package] — [replace with X / remove feature Y / buy license / quarantine] 2. **❓ [Unknown]** — [package] — [investigation step] 3. **📝 [Attribution gap]** — [add to THIRD_PARTY_LICENSES.md] ### Recommended next steps 1. Resolve every ❌ before shipping 2. Resolve every ❓ before shipping 3. Generate / update `THIRD_PARTY_LICENSES.md` and ship with the product 4. Add an automated license check to CI to catch new dependencies 5. Re-run this audit before each release 6. Have IP counsel review if any BSL/SSPL/AGPL/unknown findings remain ``` ## Output Format Deliver the Step 8 report as markdown. Save under `docs/compliance/license-audit.md` if a project layout is available. Save the generated attribution bundle as `THIRD_PARTY_LICENSES.md` at the repo root. Include the exact discovery commands you ran in an appendix so the user can reproduce. ## Completion ``` Licensing — Audit complete! Distribution model: [A / B / C / D] Dependencies analysed: [N direct + M transitive + K assets] ❌ Blocked: [N] ❓ Unknown: [N] 📝 Citation required: [N] ✅ Ready: [N] Verdict: [CLEAR / CLEAR WITH OBLIGATIONS / BLOCKED] Next steps: 1. Resolve every ❌ before shipping 2. Resolve every ❓ before shipping 3. Ship THIRD_PARTY_LICENSES.md alongside the product 4. Add license check to CI 5. Have IP counsel review high-risk findings ``` ## Level History - **Lv.1** — Base: distribution-model question, multi-language repo scan (Node/Python/Rust/Go/Java/Ruby/PHP/.NET/containers/vendored/assets), upstream LICENSE verification, version-change traps (Elastic/Mongo/Redis/Terraform/Sentry/HashiCorp), 9-class taxonomy, 4-verdict system (✅ Ready / 📝 Citation / ❓ Needs info / ❌ Not allowed), distribution-model verdict matrix, primary verdict table, attribution bundle generator, full report with summary counts and remediation plan. (Origin: MemStack Pro v3.6, Apr 2026)