oss-review

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

/oss-review

Runs an open source license compliance check against the practice profile in

~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md

. Classifies dependencies by license family, maps obligations to the deployment model, flags license-unknown and non-OSI-posing-as-OSS packages, and recommends actions — comply, replace, remove, seek legal review, seek commercial license.

针对

~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md

中的实践配置文件运行开源许可证合规性检查。按许可证家族对依赖项进行分类，将义务映射到部署模型，标记许可证未知和伪装成开源的非OSI认证包，并给出行动建议——合规、替换、移除、寻求法律审查、寻求商业许可证。

Instructions

操作说明

Load
~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md
. If placeholders present, stop and prompt: "Run
```
/ip-legal:cold-start-interview
```
first — I need to learn your practice profile (and OSS policy, if any) before I can review." If the practice profile points at an uploaded OSS policy, read that too — it is the source of truth for accepted / review / banned licenses on this team.
Establish the scope: a dependency list (package.json, requirements.txt, go.mod, Gemfile, Cargo.toml, pom.xml, SBOM), a single library, or outbound code the team is preparing to open-source. If the user passed a path, infer from the file; otherwise ask.
Establish the deployment model before classifying obligations — SaaS, distributed binary, internal only, or embedded. The same dependency list triggers different obligations depending on this.
Follow the workflow below. In particular:
- Read the actual license text, not just metadata — LICENSE files can be wrong, package metadata can be stale.
- Classify each package into permissive / weak copyleft / strong copyleft / public domain / non-OSI / unknown.
- Flag license-unknown as "needs review," not permissive by default.
- Flag non-OSI source-available licenses (SSPL, BUSL, Commons Clause, Elastic License, fair-source) — these are not open source.
- For outbound code, check that the chosen outbound license is compatible with every embedded dependency.
Output the memo per the template below — work-product header first, bottom line, top-of-memo flags, per-package blocks grouped by severity, jurisdiction note, outbound check (if applicable), approval routing.
Respect the decision posture. When a copyleft-trigger analysis turns on a contested question (AGPL's "interacts over a network," GPL-3.0's "conveying," LGPL linking scope), flag for attorney review and surface the factors cutting both ways. Anything flagged as strong copyleft or license-unknown goes to an attorney before the dependency ships or the code is released.

加载
~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md
文件。如果存在占位符，请停止并提示："请先运行
```
/ip-legal:cold-start-interview
```
——在进行审查前，我需要了解你的实践配置文件（以及OSS政策，如果有的话）。" 如果实践配置文件指向已上传的OSS政策，请一并阅读——这是团队接受/审查/禁用许可证的权威依据。
确定审查范围：依赖列表（package.json、requirements.txt、go.mod、Gemfile、Cargo.toml、pom.xml、SBOM）、单个库，或团队准备开源的待发布代码。如果用户提供了路径，从文件推断；否则询问用户。
确定部署模型后再分类义务——SaaS、分布式二进制文件、仅内部使用，或嵌入式。同一依赖列表根据部署模型不同会触发不同的义务。
遵循以下工作流程，尤其注意：
- 阅读实际许可证文本，而非仅依赖元数据——LICENSE文件可能有误，包元数据可能过时。
- 将每个包分类为宽松型/弱Copyleft/强Copyleft/公共领域/非OSI认证/未知。
- 将许可证未知的包标记为"需审查"，默认不视为宽松型。
- 标记非OSI认证的源码可用许可证（SSPL、BUSL、Commons Clause、Elastic License、fair-source）——这些不属于开源许可证。
- 对于待发布代码，检查所选的对外许可证是否与所有嵌入依赖项兼容。
按照以下模板输出备忘录——先输出工作产品页眉，然后是核心结论、备忘录顶部标记、按严重程度分组的每个包模块、管辖权说明、待发布代码检查（如适用）、审批流程。
尊重决策原则。当Copyleft触发分析涉及有争议的问题（AGPL的"通过网络交互"、GPL-3.0的"分发"、LGPL链接范围）时，标记为需律师审查，并列出正反两方的影响因素。任何被标记为强Copyleft或许可证未知的内容，在依赖项发布或代码开源前必须经律师评估。

Examples

示例

/ip-legal:oss-review ~/code/my-project/package.json
/ip-legal:oss-review ~/code/my-project/requirements.txt
/ip-legal:oss-review redis
/ip-legal:oss-review ~/code/my-project  # repo root — scan all manifests

/ip-legal:oss-review ~/code/my-project/package.json
/ip-legal:oss-review ~/code/my-project/requirements.txt
/ip-legal:oss-review redis
/ip-legal:oss-review ~/code/my-project  # 仓库根目录 — 扫描所有清单

Works better connected

集成工具后效果更佳

OSS clearance requests usually come in via a ticketing system. Connected to Jira, Linear, or Asana, this skill can: monitor incoming OSS requests, respond with guidance directly in the ticket (flagging incomplete info, asking for the repo link, returning the license-family classification), and track clearance status across requests.

Without a connector, paste the ticket or describe the request and I'll handle it one at a time. See

CONNECTORS.md

at the repo root for how to add a ticketing connector.

开源许可审批请求通常通过工单系统提交。集成Jira、Linear或Asana后，该技能可：监控 incoming开源请求，直接在工单中回复指导（标记不完整信息、要求提供仓库链接、返回许可证家族分类），并跟踪所有请求的审批状态。

如果未集成连接器，请粘贴工单内容或描述请求，我会逐一处理。有关添加工单连接器的方法，请查看仓库根目录下的

CONNECTORS.md

。

Matter context

事项上下文

Matter context. Check

## Matter workspaces

in the practice-level CLAUDE.md. If

Enabled

✗

(the default for in-house users), skip the rest of this paragraph — skills use practice-level context and the matter machinery is invisible. If enabled and there is no active matter, ask: "Which matter is this for? Run

/ip-legal:matter-workspace switch <slug>

or say

practice-level

." Load the active matter's

matter.md

for matter-specific context and overrides. Write outputs to the matter folder at

~/.claude/plugins/config/claude-for-legal/ip-legal/matters/<matter-slug>/

. Never read another matter's files unless

Cross-matter context

on

事项上下文。检查实践级CLAUDE.md中的

## Matter workspaces

部分。如果

Enabled

为

✗

（内部用户默认设置），则跳过本段剩余内容——技能使用实践级上下文，事项机制不可见。如果已启用且无活跃事项，请询问："这属于哪个事项？请运行

/ip-legal:matter-workspace switch <slug>

或选择

practice-level

。" 加载活跃事项的

matter.md

文件以获取事项特定上下文和覆盖规则。将输出写入事项文件夹

~/.claude/plugins/config/claude-for-legal/ip-legal/matters/<matter-slug>/

。除非

Cross-matter context

为

on

，否则不得读取其他事项的文件。

Purpose

目的

Tell the user what licenses are in their dependency tree, what obligations those licenses trigger given how the code will be deployed, and what to do about each one. The output is a memo the lawyer (or the engineer with attorney access) can act on — comply, replace, remove, seek legal review, seek commercial license.

This is a first-pass classification. Copyleft analysis depends on the deployment model, the degree of linking, the jurisdiction, and sometimes on legal questions that have not been tested in court (notably AGPL's "interacts over a network," GPL-3.0's patent clause). For anything that classifies as strong copyleft or license-unknown, an attorney evaluates before the dependency ships or the code is released. The skill reports what it found; the lawyer decides what to do.

告知用户其依赖树中的许可证类型、根据代码部署方式触发的义务，以及针对每个依赖项的应对措施。输出内容是律师（或有权限咨询律师的工程师）可采取行动的备忘录——合规、替换、移除、寻求法律审查、寻求商业许可证。

这是初步分类。Copyleft分析取决于部署模型、链接程度、管辖权，有时还涉及尚未经法院检验的法律问题（特别是AGPL的"通过网络交互"、GPL-3.0的专利条款）。对于任何被分类为强Copyleft或许可证未知的内容，必须在依赖项发布或代码开源前经律师评估。该技能仅报告发现的情况，最终决策由律师做出。

Precondition: load the practice profile

前提条件：加载实践配置文件

Before scanning dependencies, read
~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md
. If it is missing or still contains placeholders, stop and run

/ip-legal:cold-start-interview

. The practice profile tells you:

Who owns OSS review on this team (often engineering with legal sign-off)
Escalation routing for copyleft obligations
The work-product header to prepend

If the practice profile has an OSS policy uploaded, read that too — it is the source of truth for which licenses the team accepts, which trigger review, and which are banned.

在扫描依赖项之前，请阅读
~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md
文件。如果文件缺失或仍包含占位符，请停止并运行

/ip-legal:cold-start-interview

。实践配置文件会告知你：

团队中谁负责开源审查（通常是工程师加法律签署）
Copyleft义务的升级流程
要添加的工作产品页眉

如果实践配置文件附带上传的OSS政策，请一并阅读——这是团队接受、审查或禁用哪些许可证的权威依据。

Workflow

工作流程

Step 1: What's the scope?

步骤1：审查范围是什么？

Ask (or infer from what the user provided):

What are we reviewing?
A dependency list —
package.json
,
requirements.txt
,
go.mod
,
Gemfile
,
Cargo.toml
,
pom.xml
, an SBOM (SPDX / CycloneDX), a lockfile
A single library — one specific package you're considering adding

Our own code — we're planning to open-source this and need to check what's embedded

The analysis path differs:

Dependency list → classify every entry, roll up obligations
Single library → classify one package and walk its transitive dependencies if available
Outbound code → check what's embedded (direct and transitive), check whether chosen outbound license is compatible with all embedded licenses, check that LICENSE / NOTICE files are correct

询问（或从用户提供的内容推断）：

我们要审查什么？
依赖列表 —
package.json
、
requirements.txt
、
go.mod
、
Gemfile
、
Cargo.toml
、
pom.xml
、SBOM（SPDX / CycloneDX）、锁文件
单个库 — 你考虑添加的某个特定包

我们自己的代码 — 我们计划开源此代码，需要检查嵌入的内容

分析路径有所不同：

依赖列表 → 对每个条目进行分类，汇总义务
单个库 → 对一个包进行分类，如果有可用的传递依赖项则一并分析
待发布代码 → 检查嵌入的内容（直接和传递依赖），检查所选的对外许可证是否与所有嵌入许可证兼容，检查LICENSE / NOTICE文件是否正确

Step 2: What's the deployment model?

步骤2：部署模型是什么？

This is the single most important input after the license list — the same library carries different obligations depending on how the software is delivered. Ask:

How will this be deployed?

SaaS / hosted service — users access over a network; nothing ships to the user

Distributed binary — we ship compiled code to users (desktop app, mobile app, on-prem server, CLI tool)

Internal only — used only inside the company, not distributed outside

Embedded / firmware — shipped in hardware or as closed-system firmware

Deployment	Licenses that materially matter
SaaS	AGPL (network-trigger), permissive attribution in any UI, SSPL/BUSL/Elastic if repurposing as competing service
Distributed binary	GPL, LGPL, MPL, EPL (all trigger on distribution), permissive attribution
Internal only	Most copyleft does not trigger — no distribution. Permissive attribution still good hygiene. AGPL still triggers if users outside the company interact over the network.
Embedded / firmware	GPL is especially hard to comply with here (source disclosure + reproducible build + installation information in some cases). Plan for this before shipping, not after.

Flag the deployment model in the output memo — the same dependency list reviewed against "SaaS" vs. "distributed binary" yields different obligations.

这是许可证列表之后最重要的输入——同一库根据软件交付方式不同会承担不同的义务。询问：

该软件将如何部署？

SaaS / 托管服务 — 用户通过网络访问；不向用户交付任何内容

分布式二进制文件 — 我们向用户交付编译后的代码（桌面应用、移动应用、本地服务器、CLI工具）

仅内部使用 — 仅在公司内部使用，不对外分发

嵌入式 / 固件 — 随硬件或封闭系统固件交付

部署方式	需重点关注的许可证
SaaS	AGPL（网络触发）、任何UI中的宽松型许可证归属声明、如果将SSPL/BUSL/Elastic许可证用于竞争服务则需关注
分布式二进制文件	GPL、LGPL、MPL、EPL（所有分发时触发的许可证）、宽松型许可证归属声明
仅内部使用	大多数Copyleft不触发——无分发。但宽松型许可证的归属声明仍是良好的规范。如果公司外部用户通过网络交互，AGPL仍会触发。
嵌入式 / 固件	GPL在此场景下特别难合规（某些情况下需披露源码、可重现构建、安装信息）。请在交付前做好规划，不要事后补救。

在输出备忘录中标记部署模型——同一依赖列表针对"SaaS"和"分布式二进制文件"的审查会产生不同的义务。

Step 3: Classify each dependency

步骤3：对每个依赖项进行分类

For every package, determine the license. Read the actual license text, not just the metadata — LICENSE files can be wrong (the file says MIT but the headers say GPL; the README claims Apache but there's no license file), and package manager metadata can be stale.

Classify into:

Bucket	Examples	Key obligations
Permissive	MIT, BSD-2-Clause, BSD-3-Clause, Apache-2.0, ISC, Zlib, Unlicense	Attribution, preserve license text, Apache-2.0 adds patent grant + NOTICE requirement
Weak copyleft	LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-1.0, EPL-2.0, CDDL	File-level or library-level source disclosure; linking rules vary
Strong copyleft	GPL-2.0, GPL-3.0, AGPL-3.0, OSL, EUPL (depending on version)	Broad source disclosure; AGPL extends to network use
Public domain / dedication	CC0, Unlicense, WTFPL	Typically no obligations, but some are contested in jurisdictions that don't recognize dedication to public domain
Non-OSI source-available	SSPL, BUSL, Commons Clause, Elastic License, Confluent Community, fair-source family	Not open source — restrict commercial use, competing-service use, or both. Read the specific license.
Other / custom / unknown	vendor-specific, proprietary, missing license file, license conflict between file and headers	Stop — do not treat as permissive by default

Flag:

Dual-licensed packages — which license are we using? The choice may change obligations.
Deprecated packages — the package is no longer maintained; is there a supported replacement?
Packages with a copyleft dependency in their own tree — the top-level license is permissive but a transitive dependency is copyleft.
Packages that changed license recently — Redis, MongoDB, Elastic, HashiCorp — make sure the version pinned is under the license you think it is.

对于每个包，确定其许可证。阅读实际许可证文本，而非仅依赖元数据——LICENSE文件可能有误（文件标注MIT但代码头标注GPL；README声称Apache但无许可证文件），包管理器元数据可能过时。

分类如下：

类别	示例	核心义务
宽松型	MIT、BSD-2-Clause、BSD-3-Clause、Apache-2.0、ISC、Zlib、Unlicense	归属声明、保留许可证文本，Apache-2.0额外包含专利授予 + NOTICE要求
弱Copyleft	LGPL-2.1、LGPL-3.0、MPL-2.0、EPL-1.0、EPL-2.0、CDDL	文件级或库级源码披露；链接规则各不相同
强Copyleft	GPL-2.0、GPL-3.0、AGPL-3.0、OSL、EUPL（取决于版本）	广泛的源码披露；AGPL扩展到网络使用场景
公共领域 / 奉献	CC0、Unlicense、WTFPL	通常无义务，但在不承认公共领域奉献的司法管辖区可能存在争议
非OSI认证源码可用	SSPL、BUSL、Commons Clause、Elastic License、Confluent Community、fair-source系列	不属于开源——限制商业使用、竞争服务使用，或两者都限制。请阅读具体许可证内容。
其他 / 自定义 / 未知	供应商特定、专有、缺失许可证文件、文件与代码头的许可证冲突	停止——默认不视为宽松型

标记：

双许可证包 — 我们使用哪个许可证？选择不同的许可证可能会改变义务。
已弃用包 — 该包不再维护；是否有支持的替代包？
自身依赖树中包含Copyleft依赖的包 — 顶级许可证是宽松型，但传递依赖是Copyleft。
最近更改许可证的包 — Redis、MongoDB、Elastic、HashiCorp——确保固定的版本符合你认为的许可证。

Step 4: Map obligations to the deployment model

步骤4：将义务映射到部署模型

For each classified dependency, state what the deployment model triggers:

markdown

undefined

对于每个分类后的依赖项，说明部署模型触发的义务：

markdown

undefined

[package@version] — [License]

[package@version] — [许可证]

Classification: [Permissive / Weak copyleft / Strong copyleft / Public domain / Non-OSI / Unknown]

Obligations for our deployment ([SaaS / binary / internal / embedded]):

[Specific obligation — e.g., "Include attribution in a NOTICES file shipped with the app"]
[e.g., "If we modify and distribute, publish source of our modifications"]
[e.g., "AGPL network trigger — if users access our modified version over a network, source must be offered to them"]

Risk: 🔴 Critical | 🟠 High | 🟡 Medium | 🟢 Low

Recommendation: [Comply with obligations | Replace with [alternative] | Remove | Attorney review before shipping | Seek commercial license from [vendor]]


> **How is the copyleft dependency consumed?** The linking relationship determines whether copyleft actually triggers. Ask or determine:
> - **Static linking / compilation together:** The works are combined into one binary. Strong signal that copyleft triggers (LGPL "work based on the Library," GPL derivative work).
> - **Dynamic linking / shared library:** The works remain separable at runtime. LGPL explicitly permits this ("work that uses the Library"). GPL's position is contested (FSF says derivative, others disagree).
> - **Header inclusion / inline functions:** Can create a derivative work depending on how much is included.
> - **Subprocess / IPC:** Separate processes communicating over well-defined interfaces. Generally not derivative.
> - **Network API call:** For most licenses, no. For **AGPL**, the network-interaction clause means serving the software over a network IS distribution. In a microservices architecture, an AGPL component behind an API still triggers.
> - **File-scope copyleft (MPL):** Only the modified files carry copyleft, not the whole work. Check whether any copyleft files were modified.
>
> **The severity rating depends on this.** "LGPL — weak copyleft, linking rules vary" without the linking analysis is the answer that gets an engineer sued. Static-linked LGPL in a proprietary product is 🔴 Critical. Dynamic-linked LGPL is 🟢 Low. Same license, opposite rating.

**Severity calibration:**

| Level | Means |
|---|---|
| 🔴 Critical | Strong copyleft in a deployment that triggers it (e.g., GPL in a distributed binary, AGPL in a SaaS). Non-OSI license that the business model actually conflicts with (e.g., SSPL while we're building a managed service). License cannot be determined and the package is load-bearing. |
| 🟠 High | Weak copyleft with obligations the team hasn't set up for (file-level disclosure, NOTICE requirements). Dual-licensed where the chosen license is ambiguous. License file says one thing, headers say another. |
| 🟡 Medium | Permissive with attribution requirements that haven't been wired into the build (missing NOTICES file, missing LICENSE in distribution). Transitive copyleft in a position that may or may not trigger, depending on how the library is consumed. |
| 🟢 Low | Permissive with obligations already satisfied. Copyleft in a deployment model that doesn't trigger it (e.g., GPL library used internally only, with no redistribution). |

分类： [宽松型 / 弱Copyleft / 强Copyleft / 公共领域 / 非OSI认证 / 未知]

针对我们的部署方式的义务（[SaaS / 二进制文件 / 内部使用 / 嵌入式]）：

[具体义务 — 例如，"在随应用交付的NOTICES文件中包含归属声明"]
[例如，"如果我们修改并分发，需发布修改部分的源码"]
[例如，"AGPL网络触发——如果用户通过网络访问我们修改后的版本，必须向他们提供源码"]

风险： 🔴 严重 | 🟠 高 | 🟡 中 | 🟢 低

建议： [遵守义务 | 替换为[替代包] | 移除 | 发布前寻求律师审查 | 向[供应商]寻求商业许可证]


> **Copyleft依赖项的使用方式？** 链接关系决定Copyleft是否实际触发。询问或确定：
> - **静态链接 / 一起编译：** 作品合并为一个二进制文件。强烈表明Copyleft会触发（LGPL的"基于库的作品"、GPL衍生作品）。
> - **动态链接 / 共享库：** 作品在运行时保持分离。LGPL明确允许此方式（"使用库的作品"）。GPL的立场存在争议（FSF认为是衍生作品，其他人不同意）。
> - **头文件包含 / 内联函数：** 根据包含内容的多少，可能会产生衍生作品。
> - **子进程 / IPC：** 通过定义良好的接口通信的独立进程。通常不视为衍生作品。
> - **网络API调用：** 对于大多数许可证，不会触发。对于**AGPL**，网络交互条款意味着通过网络提供软件即视为分发。在微服务架构中，API背后的AGPL组件仍会触发义务。
> - **文件范围Copyleft（MPL）：** 仅修改的文件带有Copyleft，而非整个作品。检查是否修改了任何Copyleft文件。
>
> **严重程度评级取决于此。** "LGPL——弱Copyleft，链接规则各不相同"但未进行链接分析的回答可能会给工程师带来法律风险。静态链接LGPL到专有产品中属于🔴严重。动态链接LGPL属于🟢低。同一许可证，评级完全相反。

**严重程度校准：**

| 级别 | 含义 |
|---|---|
| 🔴 严重 | 在触发场景中使用强Copyleft（例如，分布式二进制文件中的GPL、SaaS中的AGPL）。与商业模式实际冲突的非OSI许可证（例如，我们构建托管服务时使用SSPL）。无法确定许可证且包是核心依赖。 |
| 🟠 高 | 团队尚未设置应对措施的弱Copyleft义务（文件级披露、NOTICE要求）。所选许可证不明确的双许可证包。许可证文件与代码头不一致。 |
| 🟡 中 | 尚未在构建中配置归属要求的宽松型许可证（缺少NOTICES文件、分发中缺少LICENSE）。传递Copyleft的位置可能触发也可能不触发，取决于库的使用方式。 |
| 🟢 低 | 已满足义务的宽松型许可证。在不触发场景中使用的Copyleft（例如，仅内部使用的GPL库，无再分发）。 |

Step 5: Flag failure modes

步骤5：标记故障模式

Call out any of the following in a top-of-memo section:

License unknown — classify as "needs review," not permissive. An unclassified dependency should stop a ship decision, not slip through.
License file conflicts with file headers — read both and report the conflict.
Incompatible combinations — GPL-2.0 only + Apache-2.0 historically a known incompatibility; check MPL / EPL / GPL combinations carefully.
Non-OSI licenses posing as open source — SSPL, BUSL, Commons Clause, Elastic License, Confluent Community. Read the license; don't rely on GitHub's "open source" badge.
License changes — if a prior version was permissive and the current version is source-available, the pin matters.

在备忘录顶部部分列出以下任何情况：

许可证未知 — 分类为"需审查"，不视为宽松型。未分类的依赖项应阻止发布决策，而非被忽略。
许可证文件与代码头冲突 — 阅读两者并报告冲突。
不兼容组合 — GPL-2.0仅与Apache-2.0历史上存在已知不兼容性；请仔细检查MPL / EPL / GPL组合。
伪装成开源的非OSI许可证 — SSPL、BUSL、Commons Clause、Elastic License、Confluent Community。请阅读许可证内容；不要依赖GitHub的"开源"徽章。
许可证变更 — 如果先前版本是宽松型，当前版本是源码可用型，版本固定至关重要。

Step 6: Outbound check (if reviewing our own code before open-sourcing)

步骤6：待发布代码检查（如果在开源前审查我们自己的代码）

If the user is preparing to open-source code:

Confirm the chosen outbound license is compatible with every embedded dependency's license (e.g., you cannot release under MIT if you've embedded GPL code — the combined work must be GPL)
Confirm LICENSE file is present and correct
Confirm NOTICE file is present and lists required attributions (Apache-2.0 and others)
Confirm third-party license texts are bundled where required
Confirm no proprietary or confidential code, no customer data, no embedded credentials in the repo history
Confirm trademark and brand policy for any project name (separate from the copyright license)

如果用户准备开源代码：

确认所选的对外许可证与所有嵌入依赖项的许可证兼容（例如，如果嵌入了GPL代码，则不能以MIT许可证发布——合并后的作品必须使用GPL）
确认LICENSE文件存在且正确
确认NOTICE文件存在并列出所需的归属声明（Apache-2.0及其他许可证）
确认按要求捆绑了第三方许可证文本
确认仓库历史中没有专有或机密代码、客户数据、嵌入的凭证
确认任何项目名称的商标和品牌政策（与版权许可证分开）

Step 7: Assemble the memo

步骤7：组装备忘录

Prepend the work-product header from

~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md

→

## Outputs

(differs by user role — see

## Who's using this

This memo and any dependency list reviewed may be privileged, confidential, or both. The output inherits that status from the source. Distribute only within the privilege circle; strip the work-product header before any external delivery (including before attaching the memo to an engineering ticket outside the privilege circle).

No silent supplement. If a research query to the configured legal research tool returns few or no results for a rule the memo needs (enforceability of AGPL's network trigger in a given jurisdiction, scope of GPL-3.0's patent grant, latest license text for a recently-relicensed package), report what was found and stop. Do NOT fill the gap from web search or model knowledge without asking. Say: "The search returned [N] results from [tool]. Coverage appears thin for [rule / license / jurisdiction]. Options: (1) broaden the search query, (2) try a different research tool, (3) search the web — results will be tagged
[web search — verify]
and should be checked against a primary source before relying, or (4) flag as unverified and stop. Which would you like?" A lawyer decides whether to accept lower-confidence sources.
Source attribution. Where the memo cites a license text, a court decision interpreting a license, or guidance from a steward (FSF, OSI, SPDX, SFLC), tag the citation:
[OSI]
,
[SPDX]
,
[FSF]
,
[SFC/SFLC]
,
[Westlaw]
, or the MCP tool name for citations retrieved from a connector;
[web search — verify]
for web-search citations;
[model knowledge — verify]
for citations recalled from training data;
[user provided]
for license text read directly from the repo. Citations tagged
verify
carry higher fabrication risk. Never strip or collapse the tags.

markdown

[WORK-PRODUCT HEADER — per plugin config ## Outputs]

添加

~/.claude/plugins/config/claude-for-legal/ip-legal/CLAUDE.md

→

## Outputs

中的工作产品页眉（根据用户角色不同而有所差异——请查看

## Who's using this

）。

本备忘录及任何审查的依赖列表可能享有特权、保密，或两者兼具。输出内容的状态继承自来源。仅在特权范围内分发；在外部交付前（包括附加到特权范围外的工程师工单前）移除工作产品页眉。

不得静默补充信息。如果对配置的法律研究工具的查询返回的结果不足以支持备忘录所需的规则（AGPL网络触发在特定司法管辖区的可执行性、GPL-3.0专利条款的范围、最近重新授权的包的最新许可证文本），请报告发现的内容并停止。不要未经询问就通过网络搜索或模型知识填补空白。请说："从[工具]搜索到[N]条结果。[规则/许可证/司法管辖区]的覆盖范围似乎不足。选项：(1) 扩大搜索查询范围，(2) 尝试其他研究工具，(3) 进行网络搜索——结果将标记为
[web search — verify]
，在依赖前应与原始来源核对，或(4) 标记为未验证并停止。你希望选择哪个？" 律师决定是否接受低可信度来源。
来源归属。如果备忘录引用许可证文本、解释许可证的法院判决，或来自管理机构（FSF、OSI、SPDX、SFLC）的指导，请标记引用：
[OSI]
、
[SPDX]
、
[FSF]
、
[SFC/SFLC]
、
[Westlaw]
，或连接器检索到的引用的MCP工具名称；网络搜索的引用标记为
[web search — verify]
；训练数据回忆的引用标记为
[model knowledge — verify]
；直接从仓库读取的许可证文本标记为
[user provided]
。标记为
verify
的引用存在较高的伪造风险。不得删除或合并这些标记。

markdown

[工作产品页眉 — 按插件配置## Outputs]

OSS Review: [Project / Dependency List / Package]

OSS审查：[项目 / 依赖列表 / 包]

Reviewed: [date] Scope: [Dependency list / Single library / Outbound code] Deployment model: [SaaS / Binary / Internal / Embedded]

审查日期： [日期] 范围： [依赖列表 / 单个库 / 待发布代码] 部署模型： [SaaS / 二进制文件 / 内部使用 / 嵌入式]

Bottom line

核心结论

[Two sentences. Can this ship? What has to happen first?]

Packages reviewed: [N] By classification: [N permissive, N weak copyleft, N strong copyleft, N public domain, N non-OSI, N unknown] Issues: [N]🔴 [N]🟠 [N]🟡 [N]🟢

Approval needed from: [name, per practice profile]

[两句话。是否可以发布？首先需要做什么？]

审查的包数量： [N] 按分类统计： [N个宽松型，N个弱Copyleft，N个强Copyleft，N个公共领域，N个非OSI认证，N个未知] 问题： [N]🔴 [N]🟠 [N]🟡 [N]🟢

需获得以下人员批准： [姓名，根据实践配置文件]

Top-of-memo flags

备忘录顶部标记

[License-unknown list, license-conflict list, non-OSI-posing-as-OSS list, incompatible combinations]

[许可证未知列表、许可证冲突列表、伪装成开源的非OSI许可证列表、不兼容组合]

By package

按包分类

[Blocks from Step 4, grouped by severity]

[步骤4中的模块，按严重程度分组]

Jurisdiction note

管辖权说明

OSS license enforceability varies — AGPL's network trigger has not been broadly tested in court; GPL-3.0's patent clause reads differently under US vs. EU patent law; dedications to public domain are not universally recognized. State the governing-law choice for any downstream distribution (e.g., vendor agreements incorporating the code) and flag jurisdictions the practice profile marks as escalate.

开源许可证的可执行性因地区而异——AGPL的网络触发尚未在法院广泛检验；GPL-3.0的专利条款在美国和欧盟专利法下解读不同；公共领域奉献并非在所有地区都得到认可。说明任何下游分发的管辖法律选择（例如，包含代码的供应商协议），并标记实践配置文件中标记为需升级的司法管辖区。

Outbound check (if applicable)

待发布代码检查（如适用）

[From Step 6]

[来自步骤6]

Approval routing

审批流程

[From practice profile — who approves, what triggers automatic escalation]

undefined

[来自实践配置文件——谁批准，什么情况自动升级]

undefined

Decision posture

决策原则

When a license cannot be confidently classified, flag it as "needs review" — do not call it permissive. Under-classifying license risk is a one-way door: a ship decision made on a permissive-by-default assumption becomes a source-disclosure obligation or an injunction months later. Over-flagging is a two-way door — the attorney narrows the list in review.

Likewise, when the copyleft-trigger analysis turns on a contested question (AGPL's "interacts over a network," GPL-3.0's "conveying," the scope of LGPL linking), flag for attorney review and surface the factors cutting both ways.

当无法自信地对许可证进行分类时，标记为**"需审查"**——不要称为宽松型。低估许可证风险是单向门：基于默认宽松型假设做出的发布决策可能在数月后导致源码披露义务或禁令。过度标记是双向门——律师会在审查中缩小范围。

同样，当Copyleft触发分析涉及有争议的问题（AGPL的"通过网络交互"、GPL-3.0的"分发"、LGPL链接范围）时，标记为需律师审查，并列出正反两方的影响因素。

Quality checks before delivering

交付前的质量检查

Practice profile and any OSS policy were loaded
Deployment model was established before classifying obligations
Every dependency has a classification, including transitives where available
License-unknown packages are flagged, not defaulted to permissive
License text was read (not just metadata) for any copyleft or non-OSI finding
Source tags applied to citations; no stripped
```
verify
```
tags
Approver named per practice profile
Output marked with the work-product header

已加载实践配置文件和任何OSS政策
在分类义务前已确定部署模型
每个依赖项都有分类，包括可用的传递依赖项
许可证未知的包已标记，未默认视为宽松型
对任何Copyleft或非OSI认证的发现都读取了许可证文本（而非仅元数据）
引用已添加来源标记；未删除
```
verify
```
标记
根据实践配置文件指定了审批人
输出已标记工作产品页眉

Close with the next-steps decision tree

以下一步决策树结束

End with the next-steps decision tree per CLAUDE.md

## Outputs

. Customize the options to what this skill just produced — the five default branches (draft the X, escalate, get more facts, watch and wait, something else) are a starting point, not a lock-in. The tree is the output; the lawyer picks.

If the scan surfaced more than ~10 packages, or any time the user asks: offer the dashboard (see CLAUDE.md

## Outputs → Dashboard offer for data-heavy outputs

). Shape the offer to what's useful here — counts by license family (permissive / weak copyleft / strong copyleft / AGPL / proprietary / unknown), risk distribution, and a table of findings with severity and package version.

根据CLAUDE.md

## Outputs

中的下一步决策树结束。根据该技能生成的内容自定义选项——五个默认分支（起草X、升级、获取更多事实、观察等待、其他）是起点，而非固定选项。决策树是输出内容，由律师选择。

如果扫描发现超过约10个包，或用户任何时候要求：提供仪表板（请查看CLAUDE.md

## Outputs → Dashboard offer for data-heavy outputs

）。根据此处的需求调整提供内容——按许可证家族（宽松型/弱Copyleft/强Copyleft/AGPL/专有/未知）统计数量、风险分布，以及包含严重程度和包版本的结果表格。