Claude Code Plugins

Community-maintained marketplace

Feedback

license-compliance

@IvanTorresEdge/molcajete.ai
0
0

License checking and compatibility. Use when evaluating dependency licenses.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name license-compliance
description License checking and compatibility. Use when evaluating dependency licenses.

License Compliance Skill

This skill covers license checking for npm dependencies.

When to Use

Use this skill when:

  • Evaluating new dependencies
  • Auditing license compliance
  • Preparing for release
  • Setting up license policies

Core Principle

KNOW YOUR LICENSES - Understand what licenses allow and require before adding dependencies.

License Categories

Permissive Licenses (Generally Safe)

License Commercial Use Modification Distribution Attribution
MIT Yes Yes Yes Yes
Apache-2.0 Yes Yes Yes Yes
BSD-2-Clause Yes Yes Yes Yes
BSD-3-Clause Yes Yes Yes Yes
ISC Yes Yes Yes Yes
0BSD Yes Yes Yes No
Unlicense Yes Yes Yes No

Copyleft Licenses (Requires Review)

License Effect
GPL-2.0 Derivative works must be GPL
GPL-3.0 Derivative works must be GPL
LGPL-2.1 Dynamic linking OK, static linking requires LGPL
LGPL-3.0 Dynamic linking OK, static linking requires LGPL
AGPL-3.0 Network use triggers copyleft
MPL-2.0 File-level copyleft

Special Attention

License Notes
CC-BY-* Not designed for software
WTFPL May not be recognized legally
Proprietary Requires explicit permission
No License All rights reserved by default

License Checker Tool

Installation

npm install -g license-checker

Basic Usage

# List all licenses
npx license-checker

# Summary view
npx license-checker --summary

# JSON output
npx license-checker --json > licenses.json

# CSV output
npx license-checker --csv > licenses.csv

Allowed Licenses Only

npx license-checker --onlyAllow "MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;0BSD;Unlicense"

Exclude Licenses

npx license-checker --excludeLicenses "GPL;AGPL"

License Automation

Pre-commit Hook

{
  "husky": {
    "hooks": {
      "pre-commit": "npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'"
    }
  }
}

CI Pipeline

- name: License Check
  run: npx license-checker --onlyAllow "MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;0BSD"

Package.json Script

{
  "scripts": {
    "license-check": "license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'"
  }
}

License Policy

Recommended Policy

## Allowed Licenses

- MIT
- Apache-2.0
- BSD-2-Clause
- BSD-3-Clause
- ISC
- 0BSD
- Unlicense
- CC0-1.0

## Requires Review

- MPL-2.0
- LGPL-*
- EPL-*

## Not Allowed

- GPL-* (without explicit approval)
- AGPL-*
- Proprietary
- No License

Policy Exceptions

Document any exceptions:

## License Exceptions

### package-name@1.0.0
- **License**: GPL-2.0
- **Reason**: CLI tool only, not linked into our code
- **Approved By**: @legal-team
- **Date**: 2024-01-01

Attribution Requirements

MIT License Attribution

## Third-Party Licenses

This software includes the following third-party packages:

### package-name
Copyright (c) 2024 Author Name
Licensed under the MIT License

Generating Attribution

npx license-checker --production --csv --out THIRD_PARTY_LICENSES.csv

License File Detection

Common License Files

  • LICENSE
  • LICENSE.md
  • LICENSE.txt
  • COPYING
  • NOTICE

Package.json License Field

{
  "license": "MIT"
}

SPDX Identifiers

Use standard SPDX identifiers:

  • MIT
  • Apache-2.0
  • BSD-3-Clause
  • (MIT OR Apache-2.0) - dual license
  • UNLICENSED - proprietary

Handling License Issues

Unknown License

# Investigate
npx license-checker --unknown

# Manual check
cat node_modules/package-name/LICENSE

Missing License

  1. Check package repository
  2. Contact maintainer
  3. Find alternative package
  4. Get explicit permission

License Conflict

  1. Identify conflicting licenses
  2. Consult legal if needed
  3. Find alternative packages
  4. Document decision

SBOM Generation

CycloneDX Format

npm install -g @cyclonedx/cyclonedx-npm
npx @cyclonedx/cyclonedx-npm --output-format JSON > sbom.json

SPDX Format

npm install -g @spdx/spdx-sbom-generator
npx spdx-sbom-generator

Best Practices Summary

  1. Define license policy - Know what's allowed
  2. Check before adding - Evaluate new dependencies
  3. Automate checking - CI/CD license gates
  4. Document exceptions - Track approved deviations
  5. Generate attribution - For distribution
  6. Regular audits - Dependencies change
  7. Create SBOM - For compliance reporting

Code Review Checklist

  • New dependencies have allowed licenses
  • License checker passes in CI
  • Attribution file updated
  • Exceptions documented
  • No copyleft licenses (or approved)
  • Package.json has valid license field