LicenseGuard
catch GPL contamination before your AI agent ships it
npx -y github:Isco0819/license-guardEver run into this?
AI coding agents add npm packages freely without checking license compatibility. A single AGPL or GPL dep silently contaminates your MIT project — legal risk baked in before anyone notices. license-checker has 8M+ weekly npm downloads proving the pain is real, yet no MCP server layer exists to gate agent-driven installs.
The fix
MCP server + npx CLI that resolves each new dependency's SPDX license and returns OK / WARN / BLOCK before the package.json write lands — stopping copyleft contamination at the agent tool-call layer.
What it does
- MCP tool check_license_compatibility(pkg, projectLicense) — fetches SPDX license from public npm registry, runs compat matrix, returns risk level with reason
- npx license-guard audit — scans local node_modules via license-checker-rseidelsohn and prints a full compatibility report with violating packages highlighted
- .licenseguardrc allowlist/denylist — teams codify their own acceptable license set; CI-ready non-zero exit on violations