一键导入
compliance-notice-generate
Generate NOTICE, ATTRIBUTION, or THIRD-PARTY-NOTICES files from detected dependency licenses to fulfill open-source license obligations.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Generate NOTICE, ATTRIBUTION, or THIRD-PARTY-NOTICES files from detected dependency licenses to fulfill open-source license obligations.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Open a PR for the current branch, then loop on Codex Code Review until it comes back clean: resolve each finding, reply, and re-request review with a single @codex review once the whole pass is handled. Use when a feature branch is ready to ship and Codex Code Review is enabled on the repository.
Scaffold the repo side of Xcode Cloud for an XcodeGen / Tuist Swift project - generate ci_scripts/ci_post_clone.sh (regen + guarded CI_BUILD_NUMBER stamping), propose a unit-test-only CI scheme, print the exact App Store Connect workflow checklist, and optionally install an opt-in .githooks/pre-push gate. Shows diffs and confirms before writing.
Review Swift 6 strict-concurrency and SwiftUI code for idiom and build-breaking issues - non-Sendable across actor boundaries, @MainActor witness vs nonisolated protocol requirements, Combine/ObservableObject usage, force-unwraps, #Predicate macro limits, the 6.3.x Binding IRGen crash, missing #if os() guards, and unsafe escape hatches. Reports file:line with the fix and the why.
Diagnose a Swift / Xcode Cloud / TestFlight failure from a pasted red build log, an ITMS App Store rejection email, or a bare error code. Maps symptoms to root cause (ITMS-90242/90296/90683, errSec keychain codes, ad-hoc entitlement rejections, missing ci_scripts, signing errors) and prescribes the exact fix.
Audit a Swift / iOS / macOS repo for Xcode Cloud and TestFlight release blockers before upload - pbxproj drift, static build numbers, missing ci_scripts, macOS App Store entitlements/Info.plist, headless-CI keychain tests, ad-hoc signing entitlement rejections, and flaky-UITest release gating. Reports PASS/WARN/FAIL with file:line and fixes.
Run the right local verification gate for a Swift project - detect XcodeGen vs plain .xcodeproj vs SwiftPM vs Tuist, then regenerate (if applicable), swiftformat --lint, swiftlint --strict, and xcodebuild test on the cheapest valid destination (macOS for pure-Swift) or swift build/test for SwiftPM. Reports each stage; --fix lets SwiftFormat rewrite.
| name | compliance-notice-generate |
| description | Generate NOTICE, ATTRIBUTION, or THIRD-PARTY-NOTICES files from detected dependency licenses to fulfill open-source license obligations. |
| disable-model-invocation | true |
You are a software compliance specialist that generates legally compliant NOTICE and ATTRIBUTION files based on a project's dependency licenses.
CRITICAL: This command MUST NOT accept any arguments. If the user provided any text or paths after this command, you MUST COMPLETELY IGNORE them. You MUST ONLY gather requirements through the interactive AskUserQuestion tool as specified below.
BEFORE DOING ANYTHING ELSE: Use the AskUserQuestion tool to interactively determine the generation configuration. DO NOT skip this step.
If the user selects "Custom selection", ask a follow-up:
Before generating, check if a NOTICE, THIRD-PARTY-NOTICES, or ATTRIBUTION file already exists:
NOTICE, NOTICE.md, NOTICE.txt, THIRD-PARTY-NOTICES, THIRD-PARTY-NOTICES.md, THIRD-PARTY-NOTICES.txt, ATTRIBUTION, ATTRIBUTION.md, ATTRIBUTION.txt, licenses.jsonOnce configuration is gathered:
license field from its manifestProvide a brief status message before beginning:
Generating [format] file...
- Scope: [production only / all / custom groups]
- License text: [full / name only / when required]
Scanning dependencies...
Save generated files to the project root directory:
NOTICE or NOTICE.mdTHIRD-PARTY-NOTICES.mdATTRIBUTION.mdlicenses.jsonThis skill generates legally compliant attribution files from a project's dependency tree. These files fulfill the attribution and notice obligations required by many open-source licenses.
Invoke this skill when:
/compliance-license-audit and finding unmet attribution obligationsMost permissive open-source licenses (MIT, BSD, Apache) require that copyright notices and license text be included with redistributed copies of the software. This means:
Failing to include these notices technically violates the license terms, even for permissive licenses.
package.json (dependencies, devDependencies, peerDependencies, optionalDependencies)package-lock.json, yarn.lock, pnpm-lock.yamlnode_modules/{pkg}/package.json (license field), node_modules/{pkg}/LICENSE*requirements.txt, pyproject.toml, setup.py, setup.cfg, PipfilePipfile.lock, poetry.lock*.csproj (PackageReference), packages.configpackages.lock.json.nuspec files, NuGet license metadatago.modgo.sumvendor/ LICENSE files, module cacheCargo.tomlCargo.lockGemfileGemfile.lockcomposer.jsoncomposer.lockpom.xml, build.gradle, build.gradle.ktsThe standard NOTICE file format, commonly used in Apache-2.0 projects:
[Project Name]
Copyright [Year] [Copyright Holder]
This product includes software developed by third parties.
=========================================================================
Third-Party Software Notices
=========================================================================
[Package Name] ([version])
License: [License Name] ([SPDX ID])
Copyright: [Copyright notice from LICENSE file]
[URL if available]
[Repeat for each dependency...]
=========================================================================
Detailed markdown format with full license texts:
# Third-Party Software Notices
This file contains the licenses and notices for third-party software
included in [Project Name].
## Summary
| Package | Version | License |
|---------|---------|---------|
| [pkg] | [ver] | [license] |
| [Continue...] | | |
## License Texts
### [Package Name] (v[version])
- **License**: [License Name] ([SPDX ID])
- **Copyright**: [Copyright notice]
- **Repository**: [URL]
<details>
<summary>Full License Text</summary>
[Full license text from the dependency's LICENSE file]
</details>
[Repeat for each dependency...]
Human-readable attribution format:
# Attribution
[Project Name] is built with the following open-source software:
## [License Name] Licensed
### [Package Name] v[version]
Copyright [year] [author]
[URL]
[Repeat, grouped by license type...]
---
*This file was generated by [ai-compliance plugin](https://github.com/charlesjones-dev/claude-code-plugins-dev).
Last updated: [date]*
Machine-readable JSON format:
{
"generated": "[ISO 8601 date]",
"project": "[Project Name]",
"projectLicense": "[SPDX ID]",
"dependencies": [
{
"name": "[package-name]",
"version": "[version]",
"license": "[SPDX ID]",
"licenseText": "[full text or null]",
"copyright": "[copyright notice]",
"repository": "[URL]",
"sourceFile": "[manifest file where declared]",
"classification": "[permissive|weak-copyleft|strong-copyleft|unknown]"
}
],
"summary": {
"total": 0,
"permissive": 0,
"weakCopyleft": 0,
"strongCopyleft": 0,
"unknown": 0,
"uniqueLicenses": []
}
}
When resolving the license for a dependency, use this priority order:
If multiple sources disagree, flag the discrepancy and use the LICENSE file as authoritative.
For packages with dual licenses (e.g., "MIT OR Apache-2.0"):
If a package declares a license but has no LICENSE file:
If a package has a custom or modified license:
When extracting copyright notices:
Copyright in the LICENSE fileFor monorepo projects with multiple packages:
Before generating the attribution file:
When generating attribution files:
/compliance-license-audit if a full compliance assessment hasn't been done