/oss-review

Runs an open source license compliance check against the practice profile in ~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md. Classifies dependencies by license family, maps obligations to the deployment model, flags license-unknown and non-OSI-posing-as-OSS packages, and recommends actions — comply, replace, remove, seek legal review, seek commercial license.

Instructions

1. Load ~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md. If placeholders present, stop and prompt: "Run /ip-legal:cold-start-interview first — I need to learn your practice profile (and OSS policy, if any) before I can review." If the practice profile points at an uploaded OSS policy, read that too — it is the source of truth for accepted / review / banned licenses on this team.

2. Establish the scope: a dependency list (package.json, requirements.txt, go.mod, Gemfile, Cargo.toml, pom.xml, SBOM), a single library, or outbound code the team is preparing to open-source. If the user passed a path, infer from the file; otherwise ask.

3. Establish the deployment model before classifying obligations — SaaS, distributed binary, internal only, or embedded. The same dependency list triggers different obligations depending on this.

4. Follow the workflow below. In particular:

   • Read the actual license text, not just metadata — LICENSE files can be wrong, package metadata can be stale.
   • Classify each package into permissive / weak copyleft / strong copyleft / public domain / non-OSI / unknown.
   • Flag license-unknown as "needs review," not permissive by default.
   • Flag non-OSI source-available licenses (SSPL, BUSL, Commons Clause, Elastic License, fair-source) — these are not open source.
   • For outbound code, check that the chosen outbound license is compatible with every embedded dependency.