A single GPL or AGPL dependency can force you to open-source your entire product, or sink an acquisition in due diligence. This skill audits your dependency tree for license risk — scoped to how your project actually ships, because the same dependency can be perfectly fine in one model and a violation in another.

What makes it different

It detects your **distribution model** first — hosted SaaS, distributed app/binary, open source, or internal tool — then judges every dependency against it. AGPL is a non-issue for a CLI tool but a Critical violation in proprietary SaaS. GPL is fine in your backend but not in a distributed binary. Generic license scanners ignore this; this one leads with it.

What it checks

• Copyleft conflicts AGPL in proprietary SaaS (the #1 startup trap — network use counts as distribution), GPL in distributed proprietary software, LGPL static-linking nuances, MPL file-level reciprocity
• Source-available licenses: BUSL, SSPL, Elastic License, FSL, Confluent — used commercially against their terms. Tracks the version whipsaw (Redis → AGPL 2025, Elasticsearch → AGPL 2024, Terraform → BUSL 2023)
• Attribution duties: missing NOTICE files (Apache-2.0), stripped copyright headers, no aggregated third-party licenses when distributing (including browser-shipped frontend bundles)
• Unknown / no license: dependencies that are all-rights-reserved by default — no legal right to use
• Your own project: missing or mismatched LICENSE, outbound/inbound incompatibility for open-source projects

Ecosystems

npm/yarn/pnpm, PyPI (pip/poetry/pipenv), Cargo, Go modules, Maven/Gradle, RubyGems, Composer, NuGet, pub.dev — reads direct and transitive dependencies from lock files, distinguishes shipped vs dev/build-only.

How it works

1. Detects ecosystems + your project license + distribution model (asks if ambiguous).
2. Builds the dependency license map from lock files, with SPDX identifiers.
3. Audits each against the distribution model and per-license obligations.
4. Writes LICENSE_AUDIT.md graded by legal risk (Critical/High/Medium/Low) with the dependency, version, SPDX id, the exact conflict, and a concrete fix — replace with X, comply by Y, or get a commercial license.

Why buy it

• Distribution-aware — the only framing that gives correct answers; avoids both false alarms and missed violations
• Due-diligence ready — run it before a release, fundraise, or acquisition; the report is the artifact reviewers ask for
• Concrete fixes — named permissive replacements and exact compliance steps, not "remove GPL stuff"
• Current — knows the 2023–2025 source-available relicensing wave and pins findings to the version in your lock file
• Agent-agnostic — Claude Code, Cursor, Codex CLI, Copilot, Gemini CLI

Limitations

Analyzes declared licenses statically. Not legal advice — license interpretation is fact-specific. Doesn't scan for security CVEs (use an SCA tool for that), doesn't auto-generate NOTICE files, and doesn't verify that a declared license matches the actual code.