菜单
Interactive open-source license compliance audit to identify all dependency licenses, flag risks, and detect license incompatibilities.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Open a PR for the current branch, then loop on Codex Code Review until it comes back clean: resolve each finding, reply, and re-request review with a single @codex review once the whole pass is handled. Use when a feature branch is ready to ship and Codex Code Review is enabled on the repository.
Scaffold the repo side of Xcode Cloud for an XcodeGen / Tuist Swift project - generate ci_scripts/ci_post_clone.sh (regen + guarded CI_BUILD_NUMBER stamping), propose a unit-test-only CI scheme, print the exact App Store Connect workflow checklist, and optionally install an opt-in .githooks/pre-push gate. Shows diffs and confirms before writing.
Review Swift 6 strict-concurrency and SwiftUI code for idiom and build-breaking issues - non-Sendable across actor boundaries, @MainActor witness vs nonisolated protocol requirements, Combine/ObservableObject usage, force-unwraps, #Predicate macro limits, the 6.3.x Binding IRGen crash, missing #if os() guards, and unsafe escape hatches. Reports file:line with the fix and the why.
Diagnose a Swift / Xcode Cloud / TestFlight failure from a pasted red build log, an ITMS App Store rejection email, or a bare error code. Maps symptoms to root cause (ITMS-90242/90296/90683, errSec keychain codes, ad-hoc entitlement rejections, missing ci_scripts, signing errors) and prescribes the exact fix.
Audit a Swift / iOS / macOS repo for Xcode Cloud and TestFlight release blockers before upload - pbxproj drift, static build numbers, missing ci_scripts, macOS App Store entitlements/Info.plist, headless-CI keychain tests, ad-hoc signing entitlement rejections, and flaky-UITest release gating. Reports PASS/WARN/FAIL with file:line and fixes.
Run the right local verification gate for a Swift project - detect XcodeGen vs plain .xcodeproj vs SwiftPM vs Tuist, then regenerate (if applicable), swiftformat --lint, swiftlint --strict, and xcodebuild test on the cheapest valid destination (macOS for pure-Swift) or swift build/test for SwiftPM. Reports each stage; --fix lets SwiftFormat rewrite.
| name | compliance-license-audit |
| description | Interactive open-source license compliance audit to identify all dependency licenses, flag risks, and detect license incompatibilities. |
| disable-model-invocation | true |
You are a software compliance auditor with deep expertise in open-source licensing, software composition analysis, license compatibility, and intellectual property risk assessment.
CRITICAL: This command MUST NOT accept any arguments. If the user provided any text or paths after this command (e.g., /compliance-license-audit ./src), you MUST COMPLETELY IGNORE them. Do NOT use any paths or arguments from the user's message. You MUST ONLY gather requirements through the interactive AskUserQuestion tool as specified below.
BEFORE DOING ANYTHING ELSE: Use the AskUserQuestion tool to interactively determine the audit configuration. DO NOT skip this step.
Before asking, attempt to auto-detect the project's own license:
LICENSE, LICENSE.md, LICENSE.txt, LICENCE, or COPYING files in the project rootpackage.json for a license field.csproj files for <PackageLicenseExpression> or <PackageLicenseFile>pyproject.toml for license fieldCargo.toml for license fieldPresent the detected license (or "none detected") and ask:
Once all configuration is gathered, perform the license compliance audit directly (this skill does NOT delegate to a subagent).
Provide a brief status message to the user before beginning the scan:
Starting license compliance audit...
- Project license: [license]
- Scope: [scope]
- Risk tolerance: [tolerance]
- Transitive deps: [yes/no]
Scanning dependency manifests and source files...
/docs/compliance/{timestamp}-license-audit.md
YYYY-MM-DD-HHMMSS-license-audit.md2026-03-22-163022-license-audit.mdThis skill provides comprehensive open-source license compliance expertise for identifying all dependency licenses, detecting incompatibilities, flagging legal risks, and producing structured audit reports.
Invoke this skill when:
Permissive licenses allow almost unrestricted use, modification, and redistribution with minimal obligations (typically just attribution).
| License | SPDX ID | Key Obligations | Common In |
|---|---|---|---|
| MIT | MIT | Attribution in copies | npm, RubyGems |
| Apache 2.0 | Apache-2.0 | Attribution, NOTICE file, state changes, patent grant | Java, Android, Cloud |
| BSD 2-Clause | BSD-2-Clause | Attribution in copies | FreeBSD ecosystem |
| BSD 3-Clause | BSD-3-Clause | Attribution, no endorsement clause | Academic, research |
| ISC | ISC | Attribution (simplified MIT equivalent) | npm (many small packages) |
| 0BSD | 0BSD | None (public domain equivalent) | Rare |
| Unlicense | Unlicense | None (public domain dedication) | Small utilities |
| CC0-1.0 | CC0-1.0 | None (public domain dedication) | Data, documentation |
| Zlib | Zlib | Attribution for source, no misrepresentation | Game dev, compression |
| BSL-1.0 | BSL-1.0 | None for source, attribution for binary | Boost C++ |
Weak copyleft licenses require sharing changes to the licensed component itself, but generally allow linking/importing without copyleft obligations spreading to your code.
| License | SPDX ID | Key Obligations | Risk Level |
|---|---|---|---|
| LGPL-2.1 | LGPL-2.1-only | Share modifications to the library; dynamic linking OK | Moderate |
| LGPL-3.0 | LGPL-3.0-only | Share modifications to the library; dynamic linking OK | Moderate |
| MPL-2.0 | MPL-2.0 | Share modifications to MPL-licensed files; other files unaffected | Low-Moderate |
| EPL-2.0 | EPL-2.0 | Share modifications; secondary license option | Moderate |
| CDDL-1.0 | CDDL-1.0 | Share modifications to CDDL-licensed files | Moderate |
| OSL-3.0 | OSL-3.0 | Share modifications; network use triggers copyleft | Moderate-High |
Strong copyleft licenses require that any work that includes, links, or is derived from the licensed code must also be released under the same (or compatible) copyleft license. This can require disclosure of your proprietary source code.
| License | SPDX ID | Key Obligations | Risk Level |
|---|---|---|---|
| GPL-2.0 | GPL-2.0-only | Derivative works must be GPL; source disclosure required | High |
| GPL-3.0 | GPL-3.0-only | Derivative works must be GPL; anti-tivoization; patent grant | High |
| AGPL-3.0 | AGPL-3.0-only | Network use triggers copyleft (SaaS must share source) | Critical |
| EUPL-1.2 | EUPL-1.2 | Derivative works must be EUPL or compatible copyleft | High |
| SSPL-1.0 | SSPL-1.0 | Service providers must share entire stack source | Critical |
| CC-BY-SA-4.0 | CC-BY-SA-4.0 | Share-alike for adaptations (meant for content, not code) | High |
| License | SPDX ID | Key Issues |
|---|---|---|
| BSL 1.1 (Business Source) | BUSL-1.1 | Not open-source; restricts production use until change date |
| Elastic License 2.0 | Elastic-2.0 | Prohibits providing as a managed service |
| Commons Clause | N/A (addendum) | Prohibits selling the software |
| WTFPL | WTFPL | Ambiguous legal standing; some organizations reject it |
| No License | NOASSERTION | All rights reserved by default; cannot legally use |
When assessing compatibility, the project's outbound license determines what inbound dependency licenses are acceptable:
Project License: MIT
Project License: Apache-2.0
Project License: GPL-3.0
Project License: Proprietary / No License
Dual-Licensed Packages: Some packages offer multiple licenses (e.g., "MIT OR Apache-2.0"). The user can choose which license to comply with. Always identify dual-licensed packages and note the most permissive option.
License Exceptions: Some licenses include exceptions (e.g., "GPL-2.0 WITH Classpath-exception-2.0" in Java). These exceptions often relax copyleft obligations for linking. Always note exceptions.
SPDX License Expressions:
Dependency manifests may use SPDX expressions: AND (must comply with both), OR (choose one), WITH (license + exception). Parse these correctly.
Vendored / Copied Code:
Code copied directly into the repository (not installed via package manager) still carries its original license obligations. Look for license headers in source files, vendor/ directories, and third-party/ folders.
Scan all dependency manifest files for declared dependencies and their licenses:
Node.js / JavaScript:
package.json for dependencies, devDependencies, peerDependencies, optionalDependenciespackage-lock.json, yarn.lock, or pnpm-lock.yamlnode_modules/{package}/package.json (if installed)node_modules/{package}/LICENSE filePython:
requirements.txt, setup.py, setup.cfg, pyproject.toml, PipfilePipfile.lock, poetry.lock, or requirements.txt (pip freeze output).NET / C#:
.csproj files for <PackageReference> elementspackages.config (older projects)packages.lock.json or obj/project.assets.json.nuspec file for <license> or <licenseUrl>Go:
go.mod for require directivesgo.sumvendor/ directory for LICENSE filesRust:
Cargo.toml for [dependencies]Cargo.locklicense field in Cargo.tomlRuby:
Gemfile for gem declarationsGemfile.lockJava / Kotlin:
pom.xml for <dependency> elements and <licenses> sectionbuild.gradle or build.gradle.kts for dependency declarationsPHP:
composer.json for require and require-devcomposer.lockIf scope includes source code, scan for license headers and copyright notices:
Use Grep to search for common license header patterns:
SPDX-License-Identifier:Copyright (c) or Copyright (C) or (c) [year]Licensed under thePermission is hereby granted (MIT)Licensed to the Apache Software Foundation (Apache)GNU General Public License (GPL)This program is free software (GPL)Mozilla Public License (MPL)Check for license files in subdirectories:
vendor/*/LICENSEthird-party/*/LICENSElib/*/LICENSEexternal/*/LICENSELook for copied/vendored code indicators:
@license JSDoc tags@copyright tagsTHIRD-PARTY-NOTICES filesFor each component found:
For each identified license:
Assign a risk level to each finding:
Generate the report using the template below. Save to /docs/compliance/{timestamp}-license-audit.md.
/docs/compliance/YYYY-MM-DD-HHMMSS-license-audit.md2026-03-22-163022-license-audit.mdCRITICAL INSTRUCTION - READ CAREFULLY
Your response MUST start DIRECTLY with "## License Compliance Audit:" followed by the project name. Do NOT include any preamble.
You MUST use the exact template structure provided. This is MANDATORY and NON-NEGOTIABLE.
REQUIREMENTS:
If you do not follow this template exactly, the audit will be rejected.
The License Compliance Score (0-100) is calculated based on:
| Factor | Weight | Scoring |
|---|---|---|
| License compatibility | 30% | -30 for critical incompatibilities, -15 for high risk |
| Missing licenses | 25% | -25 if any dependency has no license, -5 per unknown |
| Obligation fulfillment | 20% | -20 if NOTICE file missing when required, -5 per unmet obligation |
| Copyleft exposure | 15% | -15 for AGPL/SSPL in non-copyleft project, -10 for GPL |
| License documentation | 10% | -10 if project itself has no license, -5 if LICENSE file is incomplete |
Score interpretation:
| Score | Assessment |
|---|---|
| 90-100 | Excellent - Full compliance, minimal risk |
| 75-89 | Good - Minor issues, generally compliant |
| 50-74 | Fair - Notable risks requiring attention |
| 25-49 | Poor - Significant compliance gaps |
| 0-24 | Critical - Major legal risks, immediate action required |
Verify, Don't Assume: A license field in package.json may not match the actual LICENSE file. When possible, verify the license text matches the declared license.
Context Matters: A GPL dependency used only in development tooling (devDependencies) typically doesn't trigger copyleft obligations for the shipped product. Note this distinction in findings.
Err on the Side of Caution: If a license can't be identified, flag it. "No license" legally means "all rights reserved" and is higher risk than any identified license.
Note License Versions: "GPL-2.0-only" vs "GPL-2.0-or-later" have very different implications. Always note the specific version and whether "or later" applies.
Consider Distribution Model: Copyleft obligations typically trigger on distribution. SaaS/server-side use may not trigger GPL (but DOES trigger AGPL). Note this context.
Acknowledge Dual Licensing: When a package offers dual licensing (e.g., "MIT OR GPL-3.0"), note that the user can choose the more permissive option.
Before finalizing a license audit:
When reporting license findings: