Dependency License Audit

KOSMOVIZ checks package licenses against tools/allowed-licenses.json with the local audit command.

Audit command

scripts/legal-audit.sh --json --write-artifact

Launch artifact workflow

Release candidates write the JSON output to the fixed path docs/legal/license-audit/latest.json and attach the summary to the launch checklist. Conditional or denied licenses block release until the package is replaced or legal review explicitly approves it.

The shell wrapper scripts/legal-audit.sh delegates to the TypeScript audit CLI so CI and local release checks use the same policy file.