Files
deusdata--codebase-memory-mcp/scripts/license-gate-check-npm.py
T
wehub-resource-sync 41cb1c0170
OpenSSF Scorecard / scorecard (push) Failing after 0s
DCO / dco (push) Failing after 0s
CodeQL SAST / analyze (push) Failing after 1s
Deploy Pages / deploy (push) Failing after 1s
chore: import upstream snapshot with attribution
2026-07-13 12:28:05 +08:00

110 lines
3.9 KiB
Python
Executable File

#!/usr/bin/env python3
"""License-gate check for the graph-UI npm production dependency tree.
Usage: license-gate-check-npm.py <graph-ui-dir> <license-policy.json>
Walks the production tree (the packages whose code is compiled into the UI
bundle; platform-restricted native build tooling is excluded the same way
gen-ui-licenses.py excludes it) and fails if ANY package's license is not
on the policy allow-list. Packages with no declared license fall back to
the first line of their shipped license file; if that cannot be resolved
either, the gate fails — unknown is not allowed.
"""
import json
import os
import re
import subprocess
import sys
FILE_HEADER_MAP = {
"mit license": "MIT",
"the mit license": "MIT",
"the mit license (mit)": "MIT",
"apache license": "Apache-2.0",
"isc license": "ISC",
"bsd 2-clause license": "BSD-2-Clause",
"bsd 3-clause license": "BSD-3-Clause",
"the unlicense": "Unlicense",
}
def license_from_file(pkg_dir):
for fname in sorted(os.listdir(pkg_dir)):
if fname.upper().startswith(("LICENSE", "LICENCE", "COPYING", "UNLICENSE")):
try:
with open(os.path.join(pkg_dir, fname), encoding="utf-8",
errors="replace") as fh:
first = fh.readline().strip().lower()
return FILE_HEADER_MAP.get(first)
except OSError:
return None
return None
def collect(ui_dir, dep_tree, out):
for name, info in (dep_tree or {}).items():
version = info.get("version")
if not version:
continue
pkg_dir = os.path.join(ui_dir, "node_modules", *name.split("/"))
try:
with open(os.path.join(pkg_dir, "package.json"), encoding="utf-8") as fh:
meta = json.load(fh)
except (OSError, ValueError):
continue
if meta.get("os") or meta.get("cpu"):
continue # platform-restricted native build tooling, not bundled
lic = meta.get("license", "")
if isinstance(lic, dict):
lic = lic.get("type", "")
out[(name, version)] = (str(lic or ""), pkg_dir)
collect(ui_dir, info.get("dependencies"), out)
def main():
ui_dir, policy_path = sys.argv[1], sys.argv[2]
with open(policy_path) as fh:
policy = json.load(fh)
allowed = {x.lower() for x in policy["allowed_spdx_ids"]}
ignored_pkgs = set(policy.get("ignored_npm_packages", []))
skip_tokens = {"and", "or", "with", ""}
# shell=True so the npm shim resolves on every platform (npm.cmd on
# Windows is not found by bare-name exec). Constant command, no injection.
ls = subprocess.run("npm ls --omit=dev --all --json",
shell=True, cwd=ui_dir, capture_output=True, text=True, check=False)
tree = json.loads(ls.stdout or "{}")
pkgs = {}
collect(ui_dir, tree.get("dependencies"), pkgs)
if not pkgs:
print("FAIL: npm production tree resolved to zero packages — "
"is node_modules installed?")
sys.exit(1)
violations = []
for (name, version), (lic, pkg_dir) in sorted(pkgs.items()):
if name in ignored_pkgs:
continue
if not lic:
lic = license_from_file(pkg_dir) or ""
if not lic:
violations.append((f"{name}@{version}", "no resolvable license"))
continue
for tok in re.split(r"[\s()]+", lic):
if tok.lower() in skip_tokens:
continue
if tok.lower() not in allowed:
violations.append((f"{name}@{version}", lic))
break
if violations:
print("BLOCKED: %d UI package(s) outside the license allow-list:" % len(violations))
for pkg, lic in violations[:25]:
print(f" {pkg}: {lic}")
sys.exit(1)
print(f"OK: {len(pkgs)} bundled npm packages, all allow-listed")
if __name__ == "__main__":
main()