CONTRIBUTING.md

License Compliance Guide

Overview

PentAGI is MIT licensed and all dependencies use MIT-compatible licenses.

For Developers

Adding New Dependencies

When adding new dependencies, ensure they use compatible licenses:

Approved Licenses

• MIT
• Apache-2.0
• BSD-2-Clause, BSD-3-Clause
• ISC
• MPL-2.0 (if used without modification)
• 0BSD (public domain)

Incompatible Licenses

• GPL, LGPL, AGPL (without special exception)
• CC-BY-SA (for code, OK for data)
• Proprietary/Commercial licenses

Before Merging PR

1. Update dependencies:

   cd backend && go mod tidy
   cd ../frontend && npm install

2. Generate license reports:

   ./scripts/generate-licenses.sh

   This script automatically collects license information from all dependencies and saves them to the licenses/ directory. See licenses/README.md for details.

3. Scan for issues:

   osv-scanner scan --experimental-licenses="MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,MPL-2.0" backend
   osv-scanner scan --experimental-licenses="MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,MPL-2.0" frontend

License Verification Tools

• osv-scanner - Security and license scanning (recommended)
• license-checker - npm license verification
• go-licenses - Go module license extraction (install: go install github.com/google/go-licenses@latest)
• go list - Go module inspection

For Docker Builds

License reports are automatically generated during Docker builds:

• Backend reports in /opt/pentagi/licenses/backend/
  • dependencies.txt - List of all Go modules
  • licenses.csv - Detailed license information (generated by go-licenses)
• Frontend reports in /opt/pentagi/licenses/frontend/
  • dependencies.json - Complete npm dependency tree
  • licenses.json - Detailed license data
  • licenses.csv - License summary

Questions?

Contact: info@pentagi.com or info@vxcontrol.com