feat(docs): third-party licenses list

Author: fiftin

.claude/settings.local.json

@@ -0,0 +1,30 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(go list:*)",
+      "Bash(go build:*)",
+      "Bash(go get:*)",
+      "Bash(go mod:*)",
+      "Bash(go test *)",
+      "Bash(go doc *)",
+      "Bash(go version *)",
+      "Bash(grep -E \"\\\\.sql$\")",
+      "Bash(xargs ls *)",
+      "Bash(go vet *)",
+      "Bash(xargs cat *)",
+      "Bash(npx eslint *)",
+      "Bash(xargs -I {} sh -c 'echo \"=== {} ===\" && head -5 \"{}\"')",
+      "Bash(git stash *)",
+      "Bash(npm run *)",
+      "Bash(npm --version)",
+      "Bash(go install *)",
+      "Bash(npm install *)",
+      "Bash(go env *)",
+      "Bash(export PATH=\"$\\(go env GOPATH\\)/bin:$PATH\")",
+      "Bash(export GOWORK=off)",
+      "Bash(bash .claude/skills/semaphore-ui-third-party-licenses/scripts/collect_licenses.sh)",
+      "Bash(python3 *)",
+      "Bash(echo \"exit=$?\")"
+    ]
+  }
+}

.claude/skills/semaphore-ui-third-party-licenses/SKILL.md

@@ -0,0 +1,146 @@
+---
+name: semaphore-ui-third-party-licenses
+description: >
+  Generate or update the THIRD-PARTY-LICENSES.md file for the Semaphore UI repository. Use this skill whenever the user 
+  asks to create, update, regenerate, audit, or refresh third-party license attributions, OSS notices, SBOM-style 
+  license inventories, or NOTICE files for Semaphore UI. Trigger on phrases like "third-party licenses", "OSS notices",
+  "license attribution file", "SBOM for licenses", "NOTICE file", "audit dependencies",
+  "licenses for go.mod / package.json", or any request that mentions compliance with customer agreements requiring an
+  OSS components list. Also trigger when the user says "we added a new dependency, regenerate licenses". This skill
+  knows the Semaphore UI layout (Go backend + Vue.js frontend), the project's license policy (allowlist/denylist),
+  and the canonical output format.
+---
+
+# Semaphore UI — Third-Party License Generator
+
+This skill produces `THIRD-PARTY-LICENSES.md` for the Semaphore UI repository. The file lists every open-source
+dependency shipped with Semaphore UI by **name**, **version**, **license**, and **source URL**, grouped by component. It
+exists to satisfy contractual obligations toward customers (identification of OSS components by name, version,
+and license type) and to preserve attribution required by permissive licenses (MIT/BSD/Apache-2.0).
+
+## Repository layout you can expect
+
+Semaphore UI is a self-hosted product. The repository ships:
+
+- **Go backend** — module file at `go.mod`, source under `pkg/`, `services/`, `db/`, etc.
+- **Vue.js frontend** — `web/package.json` (or `web2/package.json` in some branches), built into static assets and
+  embedded in the Go binary.
+
+External CLI tools (Ansible, Terraform, OpenTofu, Pulumi, Bash) are invoked at runtime as separate operating-system
+processes. They are NOT linked into the binary and NOT redistributed with Semaphore UI, so they are intentionally
+**not listed** in `THIRD-PARTY-LICENSES.md` — their license terms apply to the user who installs them on the host,
+not to Semaphore UI's distribution. The license policy still discusses why this is contractually safe (see
+`references/license_policy.md`, "Subprocess exception").
+
+If the layout differs (monorepo restructure, new submodule, etc.), inspect the repo first with
+`find . -name "go.mod" -o -name "package.json" -not -path "*/node_modules/*"` and adapt.
+
+## Workflow
+
+Follow these steps in order. Don't skip the policy check — it's the part that actually protects the project from
+accidentally shipping a GPL'd dependency.
+
+### 1. Confirm scope with the user
+
+Before generating anything, ask (briefly) which targets to include if it's not obvious from context:
+
+- Backend only? Frontend only? Both?
+- Production dependencies only, or also dev dependencies?
+
+**Default**: both backend and frontend, **production-only** (dev dependencies are not distributed to customers and don't
+need attribution). Override only if the user explicitly asks for dev deps too.
+
+### 2. Collect raw license data
+
+Run `scripts/collect_licenses.sh` from the repo root. It does the following:
+
+- Sets `GOWORK=off` and runs `go-licenses report ./... --template scripts/go_template.tpl` for the Go backend, so
+  workspace siblings (e.g. `pro_impl`) are not pulled in.
+- Rolls sub-package rows up to their parent module (uses `go list -m all` for the module → version map) and drops
+  any module path that belongs to the root module's namespace (first-party packages, including `replace … => ./pro`
+  targets).
+- Applies a small `OVERRIDES` table in the script for modules where `go-licenses` can't auto-detect a license
+  (e.g. `modernc.org/mathutil` → BSD-3-Clause). Extend the table when new "Unknown" entries appear.
+- Runs `license-checker --production --json --excludePrivatePackages` in the frontend directory and strips the
+  low-confidence `*` suffix from license strings so `MIT*` collapses into `MIT`.
+- Writes raw output to `.licenses-cache/go.tsv` and `.licenses-cache/npm.json`.
+
+If the tools aren't installed, the script prints the install commands. Don't try to install them silently — show the
+user what needs to be added so they can decide whether to add them to CI.
+
+### 3. Run the policy check
+
+Run `scripts/check_policy.py .licenses-cache/`. This compares every detected license against the project policy in
+`references/license_policy.md`:
+
+- **Allowed** (green): MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Zlib, Unlicense, CC0-1.0, MPL-2.0 — proceed.
+- **Review** (yellow): LGPL-2.1, LGPL-3.0, EPL-2.0, CDDL-1.0, custom/unknown — pause and ask the user. LGPL is fine for
+  dynamic linking but Go statically links, so flag it for review.
+- **Forbidden** (red): GPL-2.0, GPL-3.0, AGPL-3.0, SSPL-1.0, BUSL-1.1, Commons Clause, "non-commercial" clauses — STOP.
+  Do not proceed with file generation. Report the offending package and ask the user how to handle it (replace, vendor,
+  or accept and document the consequence).
+
+**This step is non-negotiable.** A forbidden license slipping into THIRD-PARTY-LICENSES.md isn't just a documentation
+problem — it's a contract breach with every customer. If `check_policy.py` returns a  non-zero exit code, surface the 
+failures prominently and stop.
+
+### 4. Generate the markdown
+
+Run `scripts/generate_md.py .licenses-cache/ > THIRD-PARTY-LICENSES.md`. This produces the file using the structure
+described in `references/template.md`. Key points the generator handles:
+
+- Sorts entries alphabetically within each section.
+- Groups by component category (Go backend / npm frontend).
+- Deduplicates packages that appear at multiple versions (lists all versions on one line).
+- Renders a summary table at the top with license counts.
+- Adds a generation timestamp and a note pointing to `scripts/collect_licenses.sh` so the file is reproducible.
+
+### 5. Verify and commit
+
+After generation:
+
+1. Diff against the previous `THIRD-PARTY-LICENSES.md` (if it exists). New rows = new dependencies — confirm with the
+   user that they're expected.
+2. Verify the file isn't truncated and ends with the closing footer (`<!-- end of generated file -->`).
+3. Suggest the commit message: `chore(licenses): regenerate THIRD-PARTY-LICENSES.md for vX.Y.Z`.
+4. If a CI pipeline exists (`.github/workflows/`), suggest adding a job that runs `scripts/check_policy.py` on every
+   PR — that's how the project prevents regressions, not by re-checking manually each release.
+
+## Notes on edge cases
+
+**Vendored dependencies.** If the repo has a `vendor/` directory, `go-licenses` will read from it. That's fine —
+vendored code still ships and still needs attribution.
+
+**Dual-licensed packages.** Some packages are offered under "MIT OR Apache-2.0". Pick MIT (the simpler one) and note the
+choice in the entry: `License: MIT (also available under Apache-2.0)`.
+
+**Packages with no detectable license.** `go-licenses` flags these as "Unknown". Don't ship the file with Unknowns —
+manually inspect the repo, fill in the SPDX identifier, and if there's truly no license, treat the package as
+forbidden (no license = "all rights reserved", which is incompatible with redistribution).
+
+**Ansible / Terraform / OpenTofu / Pulumi / Bash.** Do NOT list them in `THIRD-PARTY-LICENSES.md`. They are invoked
+as separate OS processes (`os/exec`), not linked, not redistributed. Their licenses bind the user who installs them
+on the host, not Semaphore UI's distribution. Listing them would imply otherwise and is an unnecessary signal to a
+reviewing customer's legal team. The "Subprocess exception" section in `references/license_policy.md` explains the
+reasoning if a reviewer asks.
+
+**First-party packages with no LICENSE.** The root module and any `replace … => ./<dir>` target (e.g. `./pro`) live
+inside this repo and don't need to be self-attributed. The collection script filters them out by the root module
+prefix from `go.mod`. If you see "Unknown license" rows for `github.com/<this-org>/<this-repo>/…`, the filter is
+working correctly — those rows shouldn't appear in the final cache.
+
+**Embedded license texts.** For packages under MIT/BSD/ISC, the license requires preserving the copyright notice. The
+generator embeds the full LICENSE file text from each package's source. For Apache-2.0 packages, it embeds the NOTICE
+file if one exists.
+
+## What this skill does NOT do
+
+- It does not generate a CycloneDX or SPDX SBOM. If the user wants a machine-readable SBOM (for compliance scanners,
+  customer attestations, etc.), point them at `syft packages dir:. -o cyclonedx-json` as a separate step.
+  THIRD-PARTY-LICENSES.md is the human-readable artifact.
+- It does not check for CVEs. That's a security concern, not a licensing one — use `govulncheck` and `npm audit` for
+  that.
+- It does not modify go.mod or package.json. The skill is read-only with respect to the dependency manifests; it only
+  generates the attribution document.
+
+See `references/license_policy.md` for the full policy and `references/template.md` for the output format.

.claude/skills/semaphore-ui-third-party-licenses/references/license_policy.md

@@ -0,0 +1,103 @@
+# License Policy for Semaphore UI
+
+This is the source of truth for which open-source licenses are acceptable in
+Semaphore UI dependencies. The policy is enforced by
+`scripts/check_policy.py` — if you change anything here, mirror the change
+in that script.
+
+The policy exists for two reasons:
+
+1. **Customer obligations.** Our MSA commits us to *not* shipping
+   components on terms that would require customers to license or assign
+   their IP. That rules out copyleft licenses with strong reciprocity
+   (GPL family, AGPL, SSPL).
+2. **Project sustainability.** Source-available-but-not-OSS licenses
+   (BUSL, Commons Clause, Elastic 2.0) carry use restrictions that conflict
+   with our open-source distribution model.
+
+## Allowed (no review needed)
+
+These are permissive licenses with attribution-only obligations. Anything
+under one of these can be added without further discussion.
+
+| SPDX ID | Name |
+|---------|------|
+| MIT, MIT-0 | MIT License |
+| Apache-2.0 | Apache License 2.0 |
+| BSD-2-Clause | BSD 2-Clause "Simplified" |
+| BSD-3-Clause | BSD 3-Clause "New" |
+| ISC | ISC License |
+| Zlib | zlib License |
+| Unlicense | The Unlicense |
+| CC0-1.0 | Creative Commons Zero |
+| MPL-2.0 | Mozilla Public License 2.0 (file-level copyleft, OK for libraries) |
+| 0BSD | BSD Zero Clause |
+| BlueOak-1.0.0 | Blue Oak Model License |
+| Python-2.0 | Python Software Foundation License |
+
+**Note on MPL-2.0:** MPL is allowed because its copyleft obligation is at
+the *file* level, not the project level. We can use MPL-licensed libraries
+without making Semaphore UI MPL. If we ever modify an MPL-licensed file,
+that file must remain MPL.
+
+## Review required
+
+These licenses are not blanket-forbidden but require a case-by-case
+decision. Pause and ask before merging a dependency under one of these.
+
+| SPDX ID | Why review |
+|---------|------------|
+| LGPL-2.1, LGPL-3.0 (and `-or-later`) | LGPL is fine for **dynamic** linking, but Go statically links by default. An LGPL Go library would force us to provide object files so users can relink. Acceptable only if the library is genuinely irreplaceable and we can document the relinking pathway. |
+| EPL-1.0, EPL-2.0 | Eclipse Public License has weak copyleft and an explicit patent clause. Generally workable but worth a legal eyeball. |
+| CDDL-1.0, CDDL-1.1 | File-level copyleft like MPL, but with extra requirements. Rare in our ecosystem. |
+| EUPL-1.1, EUPL-1.2 | European Union Public License. Compatible with several other licenses; check the specific version. |
+| OFL-1.1 | SIL Open Font License. Almost always fine for embedded fonts, but verify the font is being used as intended (not redistributed standalone with a new name). |
+
+## Forbidden
+
+A dependency under one of these licenses **must not be added**. If
+`check_policy.py` flags one, the options are: (a) remove it, (b) replace
+it with a permissively-licensed alternative, (c) move the functionality
+out of process (subprocess invocation breaks the linkage in most cases —
+this is why Ansible is acceptable).
+
+| SPDX ID | Why forbidden |
+|---------|--------------|
+| GPL-2.0, GPL-3.0 (and `-only` / `-or-later`) | Strong copyleft. Linking forces Semaphore UI to be GPL, which conflicts with our distribution model. |
+| AGPL-1.0, AGPL-3.0 | Same as GPL plus a network-interaction trigger. Particularly hostile to SaaS/self-hosted server software. |
+| SSPL-1.0 | MongoDB's Server Side Public License. Not OSI-approved; imposes obligations on anyone offering the software as a service. |
+| BUSL-1.1 | Business Source License. Time-delayed open source with use restrictions during the change window. Not OSS. |
+| Commons-Clause | Restricts commercial sale; strips OSS status from any underlying license it's attached to. |
+| Elastic-2.0 | Elastic License v2. Use restrictions; not OSS. |
+| RSALv2 | Redis Source Available License v2. Same family as BUSL/Elastic. |
+| CC-BY-NC-* | Creative Commons "Non-Commercial" variants. Not usable in a commercially-distributable product. |
+| Facebook-BSD-Patents (legacy) | The old React patent grant clause. Removed years ago, but flagged here as a defensive measure. |
+
+## Subprocess exception (External Runtime Tools)
+
+Tools that Semaphore UI invokes via `os/exec` (Ansible, Terraform, OpenTofu,
+Pulumi, Bash) are NOT linked into our binary and NOT redistributed by us.
+Their licenses govern the user's installation of those tools on the host
+system, not our distribution.
+
+This is why we can integrate with Ansible (GPL-3.0) and Terraform (BUSL-1.1)
+without violating this policy — we never embed their code, we only document
+that the user must install them separately.
+
+These tools are intentionally **not listed** in `THIRD-PARTY-LICENSES.md`.
+Listing them would wrongly imply that they are distributed with the product
+and would invite unnecessary scrutiny from a customer's legal team. Neither
+`collect_licenses.sh` nor `generate_md.py` produces or accepts an external-
+tools section.
+
+## When the policy itself needs to change
+
+If a dependency we genuinely need is forbidden, the path forward is:
+
+1. Document the technical need (what does it do, what alternatives exist).
+2. Get sign-off from a maintainer with the authority to make that call.
+3. Update **both** this document and `check_policy.py`, in the same commit.
+4. Note the exception in `THIRD-PARTY-LICENSES.md` so customers can see it.
+
+Don't relax the policy silently. The whole point is that customers can
+audit us, so the policy must be auditable too.

.claude/skills/semaphore-ui-third-party-licenses/references/template.md

@@ -0,0 +1,116 @@
+# THIRD-PARTY-LICENSES.md output format
+
+This is the canonical structure that `scripts/generate_md.py` produces.
+Reference for humans reviewing the generator output, and for anyone who
+needs to understand what each section is for.
+
+## Structure
+
+```
+# Third-Party Licenses
+
+[intro paragraph explaining what this file is and why it exists]
+
+_Generated on YYYY-MM-DD HH:MM UTC by scripts/collect_licenses.sh._
+
+[regeneration instructions — always include these so the file is
+ reproducible by anyone, not just the original author]
+
+## Summary
+
+[total component count]
+
+| Ecosystem | Components |
+|-----------|------------|
+| Go (backend)        | NN |
+| npm (frontend)      | NN |
+
+### License distribution
+
+| License | Count |
+|---------|-------|
+| MIT          | NN |
+| Apache-2.0   | NN |
+| BSD-3-Clause | NN |
+| ...          | NN |
+
+## Go Backend Dependencies
+
+[one-line description of what these are and where they come from]
+
+| Component | Version(s) | License | Source |
+|-----------|------------|---------|--------|
+| `github.com/foo/bar`  | v1.2.3 | MIT | [link](https://...) |
+| `github.com/foo/baz`  | v0.4.1, v0.5.0 | Apache-2.0 | [link](https://...) |
+| ...
+
+## Frontend Dependencies (npm)
+
+[one-line description]
+
+| Component | Version(s) | License | Source |
+|-----------|------------|---------|--------|
+| `vue`        | 3.4.21 | MIT | [link](https://...) |
+| `vuetify`    | 3.5.8  | MIT | [link](https://...) |
+| ...
+
+---
+
+## License texts
+
+[paragraph explaining where to find full license texts and how to report
+ missing/incorrect attributions]
+
+<!-- end of generated file -->
+```
+
+## Why this structure
+
+**Summary table at the top.** Lets a reader (especially a customer's
+compliance team) see the shape of the dependency tree at a glance
+without scrolling through hundreds of rows.
+
+**License distribution.** Surfaces concentration risk. If 95% of deps are
+MIT/Apache and 1 is MPL-2.0, that 1 deserves attention. It also makes it
+easy to spot a forbidden license that somehow slipped through (a single
+GPL-3.0 row in the distribution table is a very loud red flag).
+
+**Sorted alphabetically within each section.** Diffs between releases
+become useful — a new dependency shows up as an added row in one
+predictable place, not scattered across the file.
+
+**Versions collapsed onto one line.** A dependency pinned at multiple
+versions (common with transitive Go deps that get MVS-resolved differently
+in different parts of the tree) shouldn't take 5 rows. One row, comma-
+separated versions.
+
+**External tools deliberately excluded.** Ansible, Terraform, OpenTofu,
+Pulumi, and Bash are invoked as subprocesses, not linked, and not
+redistributed with Semaphore UI. They are not listed in this file —
+including them would wrongly imply distribution. The license policy
+document covers them under "Subprocess exception" if a reviewer asks
+why they're absent.
+
+**Regeneration instructions in the header.** Means the file is not a
+hand-maintained artifact that drifts. Anyone can rebuild it and verify
+it matches what's actually in the dependency manifests.
+
+**Footer comment marker.** `<!-- end of generated file -->` lets CI
+verify the file wasn't truncated mid-write — useful when generation runs
+in a pipeline and might fail partway.
+
+## What NOT to include
+
+- **Full license texts inline.** Don't copy the MIT license text 200
+  times into one file. Refer readers to the source URL. The packages
+  themselves carry their LICENSE files; the user has them on disk after
+  `go mod download` / `npm install`.
+- **CVE / vulnerability info.** That belongs in security advisories,
+  not the license document. Mixing the two confuses the reader and makes
+  the file go stale faster.
+- **Internal-only dependencies.** Build tooling (linters, test
+  frameworks, code generators) doesn't ship to customers. Production
+  dependencies only.
+- **Hand-edited rows.** If something needs a special note, add it via
+  the generator (extend `generate_md.py`), not by editing the output
+  file. Hand edits get destroyed on the next regeneration.