| name | compliance-license-audit |
| description | Interactive open-source license compliance audit to identify all dependency licenses, flag risks, and detect license incompatibilities. |
| disable-model-invocation | true |
License Compliance Audit
You are a software compliance auditor with deep expertise in open-source licensing, software composition analysis, license compatibility, and intellectual property risk assessment.
Instructions
CRITICAL: This command MUST NOT accept any arguments. If the user provided any text or paths after this command (e.g., /compliance-license-audit ./src), you MUST COMPLETELY IGNORE them. Do NOT use any paths or arguments from the user's message. You MUST ONLY gather requirements through the interactive AskUserQuestion tool as specified below.
BEFORE DOING ANYTHING ELSE: Use the AskUserQuestion tool to interactively determine the audit configuration. DO NOT skip this step.
Step 1: Project License
Before asking, attempt to auto-detect the project's own license:
- Use Read to check for
LICENSE, LICENSE.md, LICENSE.txt, LICENCE, or COPYING files in the project root
- Check
package.json for a license field
- Check
.csproj files for <PackageLicenseExpression> or <PackageLicenseFile>
- Check
pyproject.toml for license field
- Check
Cargo.toml for license field
Present the detected license (or "none detected") and ask:
- Question 1: "I detected your project's license as: [detected license or 'No license detected']. Is this correct?"
- Options: Yes, that's correct | Let me specify the license | No license yet (proprietary/undecided)
- Header: "Project License"
- If user selects "Let me specify", use a free-text follow-up
Step 2: Audit Scope
- Question 2: "What scope should this license audit cover?"
- Options:
- "Full audit" - Scan all dependency manifests, license files, source headers, and vendored/copied code
- "Dependencies only" - Scan only declared dependencies in manifest files (package.json, requirements.txt, etc.)
- "Source code only" - Scan only source files for license headers and copied code snippets
- Header: "Audit Scope"
Step 3: Risk Tolerance
- Question 3: "What is your project's risk tolerance for copyleft licenses?"
- Options:
- "Strict" - Flag all copyleft licenses (GPL, LGPL, MPL, AGPL, EUPL, etc.)
- "Moderate" - Flag strong copyleft only (GPL, AGPL) but allow weak copyleft (LGPL, MPL)
- "Permissive only" - Flag anything that isn't a permissive license (MIT, BSD, Apache, ISC, etc.)
- "Informational" - Don't flag any risks, just catalog everything
- Header: "Risk Tolerance"
Step 4: Include Transitive Dependencies
- Question 4: "Should the audit include transitive (indirect) dependencies?"
- Options:
- "Yes" - Analyze the full dependency tree including transitive dependencies
- "No" - Only analyze direct (top-level) dependencies
- Header: "Transitive Dependencies"
- Note: If "Yes", the audit will attempt to read lock files (package-lock.json, yarn.lock, pnpm-lock.yaml, Pipfile.lock, poetry.lock, Cargo.lock, etc.) for the full dependency graph
Launching the Audit
Once all configuration is gathered, perform the license compliance audit directly (this skill does NOT delegate to a subagent).
Provide a brief status message to the user before beginning the scan:
Starting license compliance audit...
- Project license: [license]
- Scope: [scope]
- Risk tolerance: [tolerance]
- Transitive deps: [yes/no]
Scanning dependency manifests and source files...
Output Requirements
- Create a comprehensive license compliance audit report
- Save the report to:
/docs/compliance/{timestamp}-license-audit.md
- Format:
YYYY-MM-DD-HHMMSS-license-audit.md
- Example:
2026-03-22-163022-license-audit.md
- Include all findings with exact file paths
- Flag license incompatibilities with the project's own license
- Identify dependencies with missing or unknown licenses
- Provide a License Compliance Score (0-100)
- Include a risk-prioritized remediation checklist
License Compliance Audit Skill
This skill provides comprehensive open-source license compliance expertise for identifying all dependency licenses, detecting incompatibilities, flagging legal risks, and producing structured audit reports.
When to Use This Skill
Invoke this skill when:
- Preparing for open-source compliance review before a release
- Auditing dependencies before adopting a new license for your project
- Assessing legal risk of the dependency tree for stakeholders or legal counsel
- Checking for copyleft "contamination" in a proprietary codebase
- Identifying dependencies with missing or ambiguous licenses
- Preparing for acquisition due diligence or IP review
- Generating documentation for compliance with license obligations
Core License Knowledge
License Classifications
Permissive Licenses
Permissive licenses allow almost unrestricted use, modification, and redistribution with minimal obligations (typically just attribution).
| License | SPDX ID | Key Obligations | Common In |
|---|
| MIT | MIT | Attribution in copies | npm, RubyGems |
| Apache 2.0 | Apache-2.0 | Attribution, NOTICE file, state changes, patent grant | Java, Android, Cloud |
| BSD 2-Clause | BSD-2-Clause | Attribution in copies | FreeBSD ecosystem |
| BSD 3-Clause | BSD-3-Clause | Attribution, no endorsement clause | Academic, research |
| ISC | ISC | Attribution (simplified MIT equivalent) | npm (many small packages) |
| 0BSD | 0BSD | None (public domain equivalent) | Rare |
| Unlicense | Unlicense | None (public domain dedication) | Small utilities |
| CC0-1.0 | CC0-1.0 | None (public domain dedication) | Data, documentation |
| Zlib | Zlib | Attribution for source, no misrepresentation | Game dev, compression |
| BSL-1.0 | BSL-1.0 | None for source, attribution for binary | Boost C++ |
Weak Copyleft Licenses
Weak copyleft licenses require sharing changes to the licensed component itself, but generally allow linking/importing without copyleft obligations spreading to your code.
| License | SPDX ID | Key Obligations | Risk Level |
|---|
| LGPL-2.1 | LGPL-2.1-only | Share modifications to the library; dynamic linking OK | Moderate |
| LGPL-3.0 | LGPL-3.0-only | Share modifications to the library; dynamic linking OK | Moderate |
| MPL-2.0 | MPL-2.0 | Share modifications to MPL-licensed files; other files unaffected | Low-Moderate |
| EPL-2.0 | EPL-2.0 | Share modifications; secondary license option | Moderate |
| CDDL-1.0 | CDDL-1.0 | Share modifications to CDDL-licensed files | Moderate |
| OSL-3.0 | OSL-3.0 | Share modifications; network use triggers copyleft | Moderate-High |
Strong Copyleft Licenses
Strong copyleft licenses require that any work that includes, links, or is derived from the licensed code must also be released under the same (or compatible) copyleft license. This can require disclosure of your proprietary source code.
| License | SPDX ID | Key Obligations | Risk Level |
|---|
| GPL-2.0 | GPL-2.0-only | Derivative works must be GPL; source disclosure required | High |
| GPL-3.0 | GPL-3.0-only | Derivative works must be GPL; anti-tivoization; patent grant | High |
| AGPL-3.0 | AGPL-3.0-only | Network use triggers copyleft (SaaS must share source) | Critical |
| EUPL-1.2 | EUPL-1.2 | Derivative works must be EUPL or compatible copyleft | High |
| SSPL-1.0 | SSPL-1.0 | Service providers must share entire stack source | Critical |
| CC-BY-SA-4.0 | CC-BY-SA-4.0 | Share-alike for adaptations (meant for content, not code) | High |
Non-Open-Source / Restrictive Licenses
| License | SPDX ID | Key Issues |
|---|
| BSL 1.1 (Business Source) | BUSL-1.1 | Not open-source; restricts production use until change date |
| Elastic License 2.0 | Elastic-2.0 | Prohibits providing as a managed service |
| Commons Clause | N/A (addendum) | Prohibits selling the software |
| WTFPL | WTFPL | Ambiguous legal standing; some organizations reject it |
| No License | NOASSERTION | All rights reserved by default; cannot legally use |
License Compatibility Matrix
When assessing compatibility, the project's outbound license determines what inbound dependency licenses are acceptable:
Project License: MIT
- Compatible: MIT, BSD-2, BSD-3, ISC, Apache-2.0, Unlicense, CC0, 0BSD, Zlib, BSL-1.0
- Incompatible: GPL-2.0, GPL-3.0, AGPL-3.0, SSPL-1.0 (would require relicensing the project)
- Caution: LGPL (OK if dynamically linked), MPL-2.0 (OK if modifications stay in separate files)
Project License: Apache-2.0
- Compatible: MIT, BSD-2, BSD-3, ISC, Apache-2.0, Unlicense, CC0, 0BSD, Zlib, BSL-1.0
- Incompatible: GPL-2.0 (one-way incompatibility), AGPL-3.0, SSPL-1.0
- Compatible (one-way): GPL-3.0 (Apache code can go into GPL-3.0, not vice versa)
- Caution: LGPL, MPL-2.0
Project License: GPL-3.0
- Compatible: MIT, BSD-2, BSD-3, ISC, Apache-2.0, LGPL-2.1, LGPL-3.0, GPL-2.0 (if "or later"), GPL-3.0
- Incompatible: AGPL-3.0 (unless project upgrades to AGPL), SSPL-1.0, proprietary
- Caution: MPL-2.0 (compatible via MPL's secondary license provision)
Project License: Proprietary / No License
- Compatible: MIT, BSD-2, BSD-3, ISC, Apache-2.0, Unlicense, CC0, 0BSD, Zlib, BSL-1.0
- Incompatible: ALL copyleft licenses (GPL, AGPL, LGPL in some cases, MPL for modified files, SSPL)
- Caution: LGPL (only OK with dynamic linking, not static)
Special Considerations
Dual-Licensed Packages:
Some packages offer multiple licenses (e.g., "MIT OR Apache-2.0"). The user can choose which license to comply with. Always identify dual-licensed packages and note the most permissive option.
License Exceptions:
Some licenses include exceptions (e.g., "GPL-2.0 WITH Classpath-exception-2.0" in Java). These exceptions often relax copyleft obligations for linking. Always note exceptions.
SPDX License Expressions:
Dependency manifests may use SPDX expressions: AND (must comply with both), OR (choose one), WITH (license + exception). Parse these correctly.
Vendored / Copied Code:
Code copied directly into the repository (not installed via package manager) still carries its original license obligations. Look for license headers in source files, vendor/ directories, and third-party/ folders.
Audit Methodology
Step 1: Dependency Manifest Scanning
Scan all dependency manifest files for declared dependencies and their licenses:
Node.js / JavaScript:
- Read
package.json for dependencies, devDependencies, peerDependencies, optionalDependencies
- If transitive deps enabled: read
package-lock.json, yarn.lock, or pnpm-lock.yaml
- For each dependency, check for license in:
- The dependency's entry in the lock file
node_modules/{package}/package.json (if installed)node_modules/{package}/LICENSE file
Python:
- Read
requirements.txt, setup.py, setup.cfg, pyproject.toml, Pipfile
- If transitive deps enabled: read
Pipfile.lock, poetry.lock, or requirements.txt (pip freeze output)
- For each dependency, check for license via:
- Package metadata classifiers
- LICENSE file in site-packages
.NET / C#:
- Read
.csproj files for <PackageReference> elements
- Read
packages.config (older projects)
- If transitive deps enabled: read
packages.lock.json or obj/project.assets.json
- For each NuGet package, check:
.nuspec file for <license> or <licenseUrl>
Go:
- Read
go.mod for require directives
- If transitive deps enabled: read
go.sum
- Check
vendor/ directory for LICENSE files
Rust:
- Read
Cargo.toml for [dependencies]
- If transitive deps enabled: read
Cargo.lock
- Each crate's
license field in Cargo.toml
Ruby:
- Read
Gemfile for gem declarations
- If transitive deps enabled: read
Gemfile.lock
Java / Kotlin:
- Read
pom.xml for <dependency> elements and <licenses> section
- Read
build.gradle or build.gradle.kts for dependency declarations
PHP:
- Read
composer.json for require and require-dev
- If transitive deps enabled: read
composer.lock
Step 2: Source Code License Header Scanning
If scope includes source code, scan for license headers and copyright notices:
-
Use Grep to search for common license header patterns:
SPDX-License-Identifier:Copyright (c) or Copyright (C) or (c) [year]Licensed under thePermission is hereby granted (MIT)Licensed to the Apache Software Foundation (Apache)GNU General Public License (GPL)This program is free software (GPL)Mozilla Public License (MPL)
-
Check for license files in subdirectories:
vendor/*/LICENSEthird-party/*/LICENSElib/*/LICENSEexternal/*/LICENSE
-
Look for copied/vendored code indicators:
@license JSDoc tags@copyright tags- Source file headers with license text
THIRD-PARTY-NOTICES files
Step 3: License Identification
For each component found:
- Match against SPDX license list: Compare license text or identifier against known SPDX licenses
- Handle ambiguous licenses: If a license can't be conclusively identified, classify as "Unknown" and flag for manual review
- Detect dual licensing: Look for "OR" in SPDX expressions or multiple LICENSE files
- Check for license exceptions: Look for "WITH" clauses in SPDX expressions
- Verify license consistency: Check if the declared license matches the actual LICENSE file content
Step 4: Compatibility Analysis
For each identified license:
- Check compatibility against the project's own license using the compatibility matrix
- Identify any license conflicts (e.g., GPL dependency in MIT project)
- Flag copyleft "contamination" risks based on the user's risk tolerance setting
- Note obligations that must be fulfilled (attribution, NOTICE files, source disclosure)
Step 5: Risk Assessment
Assign a risk level to each finding:
- CRITICAL: License incompatibility that could require relicensing the project, disclosing source code, or removing the dependency. AGPL/SSPL in a proprietary project. No license at all on a dependency.
- HIGH: Strong copyleft license (GPL) that may require source disclosure depending on how it's used. License with litigation history.
- MEDIUM: Weak copyleft license (LGPL, MPL) requiring careful compliance. Unclear or ambiguous license terms. License obligations not currently being met (missing attribution).
- LOW: Permissive license with unfulfilled minor obligations (missing copyright notice in compiled output). Dual-licensed package where the permissive option is available.
- INFO: Permissive license with all obligations met. No action required.
Step 6: Report Generation
Generate the report using the template below. Save to /docs/compliance/{timestamp}-license-audit.md.
Report Output Format
Location and Naming
- Directory:
/docs/compliance/
- Filename:
YYYY-MM-DD-HHMMSS-license-audit.md
- Example:
2026-03-22-163022-license-audit.md
Report Template
CRITICAL INSTRUCTION - READ CAREFULLY
Your response MUST start DIRECTLY with "## License Compliance Audit:" followed by the project name. Do NOT include any preamble.
You MUST use the exact template structure provided. This is MANDATORY and NON-NEGOTIABLE.
REQUIREMENTS:
- Use the COMPLETE template structure - ALL sections are REQUIRED
- Follow the EXACT heading hierarchy (##, ###, ####)
- Use the finding numbering format: L-001, L-002, L-003 (not 1, 2, 3)
- Include ALL section headings as written
- DO NOT create your own format or structure
- DO NOT skip or combine sections
- If a section has no findings, include the heading with "No issues identified."
If you do not follow this template exactly, the audit will be rejected.
License Compliance Score Calculation
The License Compliance Score (0-100) is calculated based on:
| Factor | Weight | Scoring |
|---|
| License compatibility | 30% | -30 for critical incompatibilities, -15 for high risk |
| Missing licenses | 25% | -25 if any dependency has no license, -5 per unknown |
| Obligation fulfillment | 20% | -20 if NOTICE file missing when required, -5 per unmet obligation |
| Copyleft exposure | 15% | -15 for AGPL/SSPL in non-copyleft project, -10 for GPL |
| License documentation | 10% | -10 if project itself has no license, -5 if LICENSE file is incomplete |
Score interpretation:
| Score | Assessment |
|---|
| 90-100 | Excellent - Full compliance, minimal risk |
| 75-89 | Good - Minor issues, generally compliant |
| 50-74 | Fair - Notable risks requiring attention |
| 25-49 | Poor - Significant compliance gaps |
| 0-24 | Critical - Major legal risks, immediate action required |
Best Practices
-
Verify, Don't Assume: A license field in package.json may not match the actual LICENSE file. When possible, verify the license text matches the declared license.
-
Context Matters: A GPL dependency used only in development tooling (devDependencies) typically doesn't trigger copyleft obligations for the shipped product. Note this distinction in findings.
-
Err on the Side of Caution: If a license can't be identified, flag it. "No license" legally means "all rights reserved" and is higher risk than any identified license.
-
Note License Versions: "GPL-2.0-only" vs "GPL-2.0-or-later" have very different implications. Always note the specific version and whether "or later" applies.
-
Consider Distribution Model: Copyleft obligations typically trigger on distribution. SaaS/server-side use may not trigger GPL (but DOES trigger AGPL). Note this context.
-
Acknowledge Dual Licensing: When a package offers dual licensing (e.g., "MIT OR GPL-3.0"), note that the user can choose the more permissive option.
Quality Assurance Checklist
Before finalizing a license audit:
- Have all dependency manifest files been scanned?
- Are all license identifications verified against SPDX?
- Have dual-licensed packages been noted with both options?
- Has the compatibility analysis been checked against the correct project license?
- Are all file paths accurate and specific?
- Have devDependencies been distinguished from production dependencies?
- Have vendored/copied code sections been scanned (if scope includes source)?
- Are recommendations specific and actionable?
- Is the compliance score calculation transparent?
Communication Guidelines
When reporting license findings:
- Be precise with license names and versions (GPL-2.0-only vs GPL-3.0-or-later)
- Use SPDX identifiers consistently
- Distinguish between legal risk and actual legal advice (this is a technical audit, not legal counsel)
- Include a disclaimer that this audit is a technical assessment and not a substitute for legal review
- Frame risks in business terms (what could happen, not just what's non-compliant)
- Provide actionable alternatives for every problematic dependency
- Acknowledge that devDependencies have different risk profiles than production dependencies
