wip-license-hook

Detect license rug-pulls before they reach your codebase.

Commands

Initialize ledger for a project

wip-license-hook init --repo /path/to/repo

Scans all current dependencies and forks, records their licenses, creates LICENSE-LEDGER.json.

Scan all dependencies

wip-license-hook scan --all

Checks every dependency and fork against the ledger. Updates last_checked. Flags any changes.

Pre-merge gate

wip-license-hook gate --upstream <remote>

Fetches upstream without merging. Checks license. Returns exit code 0 (safe) or 1 (changed/blocked).

Use in git hooks or CI.

Generate report

wip-license-hook report

Outputs a human-readable license health report.

Generate dashboard

wip-license-hook dashboard --output ./docs

Creates a static HTML dashboard from the ledger. Deploy to GitHub Pages.

Daily Cron Usage

Add to HEARTBEAT.md or as a cron job:

wip-license-hook scan --all --alert

If any license changed, sends alert via configured channel (email, iMessage, Discord).

What It Detects

• LICENSE file content changes
• package.json license field changes
• SPDX header changes
• License removal (file deleted)
• License downgrade (permissive → restrictive)

What It Does NOT Do

• It does not legal advice make
• It does not auto-merge anything ever
• It does not modify upstream code

Alert Levels

• 🟢 Clean — license unchanged since adoption
• 🟡 Warning — license metadata inconsistency (e.g., LICENSE file says MIT but package.json says ISC)
• 🔴 Blocked — license changed from what was adopted. Merge blocked. Human review required.

MCP

Tools: license_scan, license_audit, license_gate, license_ledger

Add to .mcp.json:

{
  "wip-license-hook": {
    "command": "node",
    "args": ["/path/to/tools/wip-license-hook/mcp-server.mjs"]
  }
}