Open Source License Recommender

What this skill does

Takes a project's stated goals (commercial-friendly, copyleft, attribution required, patent-protective, no-warranty-only) and a snapshot of its dependencies, then recommends 1-2 SPDX licenses that satisfy the goals and are compatible with the dep set.

Inputs

• goals: object with booleans allow_commercial, prefer_copyleft, require_attribution, patent_grant, weak_copyleft_ok.
• lockfile_path: optional, used to harvest dependency licenses.
• Optional audience: library, application, documentation, creative-asset.

Steps

1. If lockfile_path provided, run a license-extract pass: for each dep, fetch its SPDX id from registry metadata.
2. Compute a "must-be-compatible-with" set from deps: any GPL family means the project must also be GPL-compatible (or unbundled); MIT/BSD/Apache are universally compatible.
3. Apply the goal mask to a candidate list:
   • prefer_copyleft && !weak_copyleft_ok + library -> LGPL-3.0-or-later.
   • prefer_copyleft + application -> GPL-3.0-or-later; if audience is server -> AGPL-3.0-or-later.
   • Permissive + patent_grant -> Apache-2.0.
   • Permissive + minimal -> MIT.
   • Documentation / creative -> CC-BY-4.0.
   • Public-domain leaning -> 0BSD or CC0-1.0.
4. Cross-check the candidate against the dep compatibility set; drop incompatible candidates.
5. If multiple survive, rank: most ecosystem-aligned (MIT for JS, Apache-2.0 for Java/Go, MIT/BSD-3-Clause for Python) wins on a tie.
6. Write the recommendation note: top pick + a runner-up, with one paragraph each on rationale and 2 bullets on what each license requires of distributors.
7. Generate the LICENSE file content: pull the canonical SPDX text via the SPDX license list URL.
8. Save the recommendation and the LICENSE file.

Output

license-recommendation.md with rationale and a LICENSE file containing the recommended license's canonical text. Stdout prints the chosen SPDX id.

Verification

Cross-check with choosealicense.com's flowchart: feeding the same goals should yield the same recommendation. Run licensee detect <repo> (or similar) on the new LICENSE and confirm SPDX recognition. Confirm the chosen license is on the OSI-approved list at https://opensource.org/licenses (unless the user explicitly opted out of OSI approval).

Edge cases

• Project depends on a strong-copyleft dep (e.g., readline): if the dep is statically linked, the project must be GPL-compatible; surface the conflict before proceeding.
• Dual-licensing requested (e.g., AGPL + commercial): refuse to auto-recommend; advise consulting a lawyer.
• Mixed creative + code (a tutorial repo): suggest a split — code under MIT and prose under CC-BY-4.0 — with directory-level boundaries.
• Patent-sensitive industry: bias toward Apache-2.0 even when MIT would otherwise win.