license-auditlisted

# License Audit ## Purpose Scan the project's dependency tree against a license policy file and report violations: copyleft licenses (GPL/AGPL/SSPL) in a proprietary codebase, unknown / missing licenses, license downgrades on update (e.g., MIT→GPL), and unapproved license families. Primary consumer: `supply-chain-auditor` (audit) and `maintainer` (gate on dep-update PRs). ## Scope - Reads the project's lock file (package-lock.json, pnpm-lock.yaml, poetry.lock, Cargo.lock, go.sum, etc.) and resolves declared licenses for every direct + transitive dependency. - Compares each license against `.claude/license-policy.json` (project-supplied). - Diffs against a previous-run baseline to flag downgrades. - Emits a markdown report with categorized findings; exits non-zero if any blocking violation exists. ## When to use - On every dep-update PR, as a CI gate. - Before a release, against the locked dep set going to prod. - When onboarding a new dep — manually, before the dep is added. - For compliance audits (open-source-program-office reviews, acquisition due-diligence, customer license inquiries). ## When NOT to use - For pure internal tooling that ships nothing externally — copyleft obligations attach to distribution. Verify with legal that "no external distribution" applies before opting out. - As a replacement for legal review — this skill flags the obvious cases. Edge cases (dual-licensed deps, license-with-exception, patent-grant clauses) need a human l