gpl_license_guard/

lib.rs

#![forbid(unsafe_code)]
//! # gpl-license-guard
//!
//! An **independent**, general-purpose license-boundary inspection gate that emits a **receipt**, not a
//! legal opinion. It scans a repo (and, later, a distribution artifact) for the practical GPL/LGPL boundary
//! surfaces and classifies them with typed verdicts, so any project -- a commercial release, an open
//! copyleft derivative, anything -- can *prove* its license posture continuously instead of arguing it by
//! hand.
//!
//! The claim is deliberately narrow: "at this commit, under this policy, no detected GPL/LGPL boundary
//! violation according to declared machine-checkable rules" -- never "legally safe forever". The receipt
//! carries an explicit non-claims list.
//!
//! Independence is the point: this tool depends on nothing GNU and nothing from the projects it audits --
//! it inspects from the outside, so the auditor is not part of the audited. Apache-2.0.

use serde::{Deserialize, Serialize};
use std::path::Path;

/// Overall gate verdict (typed, not a boolean).
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum GateVerdict {
    Pass,
    Warn,
    Fail,
    ManualReviewRequired,
    NotApplicable,
}

/// How this package relates to GnuCOBOL material (the bucket that must NOT collapse).
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum GnuBoundary {
    NoGnuMaterialDetected,
    ExternalOracleOnly,
    GnuLibraryLinked,
    GnuBinaryBundled,
    GnuSourceVendored,
    UnknownGnuSurface,
}

/// One observed surface.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Finding {
    pub path: String,
    pub kind: String,
    pub severity: String, // low | medium | high
    pub detail: String,
}

/// The machine-checkable policy.
#[derive(Debug, Clone)]
pub struct Policy {
    pub name: String,
    pub deny_licenses: Vec<String>,
    pub manual_review_licenses: Vec<String>,
    pub allow_link_gnucobol: bool,
    pub allow_vendored_gnucobol_source: bool,
    pub allow_bundled_gnucobol_binary: bool,
    /// Tools declared as external oracles (invoked as a process, not bundled), e.g. `cobc`.
    pub declared_external_tools: Vec<String>,
}

impl Policy {
    /// Select a built-in policy by name (CLI `--policy`). Accepts short forms (`lgpl`, `derivative`,
    /// `commercial`). Defaults to the commercial boundary.
    pub fn by_name(name: &str) -> Self {
        let n = name.to_ascii_lowercase();
        if n.contains("lgpl") || n.contains("deriv") {
            Self::lgpl_faithful_derivative()
        } else {
            Self::commercial_boundary()
        }
    }

    /// Policy for an LGPL faithful-derivative open repo (e.g. gnucobol-rs): it legitimately vendors the
    /// admitted oracle and links/inherits copyleft -- those are EXPECTED, not violations. The obligation
    /// it must honor (stay LGPL, never claim permissive/clean-room) is a documentation claim, not a file
    /// surface, so this policy permits the GNU material and records it factually.
    pub fn lgpl_faithful_derivative() -> Self {
        Policy {
            name: "lgpl-faithful-derivative-v1".into(),
            deny_licenses: Vec::new(), // open copyleft project: nothing denied by license
            manual_review_licenses: Vec::new(),
            allow_link_gnucobol: true,
            allow_vendored_gnucobol_source: true,
            allow_bundled_gnucobol_binary: true,
            declared_external_tools: vec!["cobc".into()],
        }
    }

    /// The default commercial-boundary policy: external oracle OK; no vendored source / bundled binary /
    /// gnucobol linking in a commercial artifact; GPL/AGPL denied; LGPL needs manual review.
    pub fn commercial_boundary() -> Self {
        let s = |v: &[&str]| v.iter().map(|x| x.to_string()).collect();
        Policy {
            name: "commercial-boundary-v1".into(),
            deny_licenses: s(&[
                "GPL-2.0-only",
                "GPL-2.0-or-later",
                "GPL-3.0-only",
                "GPL-3.0-or-later",
                "AGPL-3.0-only",
                "AGPL-3.0-or-later",
            ]),
            manual_review_licenses: s(&[
                "LGPL-2.1-only",
                "LGPL-2.1-or-later",
                "LGPL-3.0-only",
                "LGPL-3.0-or-later",
                "MPL-2.0",
            ]),
            allow_link_gnucobol: false,
            allow_vendored_gnucobol_source: false,
            allow_bundled_gnucobol_binary: false,
            declared_external_tools: vec!["cobc".into()],
        }
    }
}

/// The scan report (serializes into the receipt).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ScanReport {
    pub schema: String,
    pub project: String,
    pub crate_license: String,
    pub policy: String,
    pub verdict: GateVerdict,
    pub gnu_boundary: GnuBoundary,
    pub gnucobol_source_vendored: bool,
    pub gnucobol_binary_bundled: bool,
    pub gnucobol_library_linked: bool,
    pub external_tools: Vec<String>,
    pub findings: Vec<Finding>,
    pub non_claims: Vec<String>,
}

fn non_claims() -> Vec<String> {
    [
        "not legal advice",
        "not a substitute for review by counsel",
        "does not determine copyright ownership",
        "does not prove the absence of all copied code",
        "covers only declared inputs and the scanned tree at this commit",
    ]
    .iter()
    .map(|s| s.to_string())
    .collect()
}

fn read_to_string(p: &Path) -> String {
    std::fs::read_to_string(p).unwrap_or_default()
}

/// Recursively collect file paths under `root`, skipping build/vcs dirs.
fn walk(root: &Path, out: &mut Vec<std::path::PathBuf>) {
    let skip = ["target", ".git", "node_modules"];
    let rd = match std::fs::read_dir(root) {
        Ok(r) => r,
        Err(_) => return,
    };
    for e in rd.flatten() {
        let p = e.path();
        let name = p.file_name().and_then(|n| n.to_str()).unwrap_or("");
        if p.is_dir() {
            if !skip.contains(&name) {
                walk(&p, out);
            }
        } else {
            out.push(p);
        }
    }
}

/// Detect the crate's own declared license + whether it declares a gnucobol-rs dependency.
fn inspect_cargo(root: &Path) -> (String, String, bool) {
    let txt = read_to_string(&root.join("Cargo.toml"));
    let mut name = String::new();
    let mut license = String::new();
    let mut in_deps = false;
    let mut links_gnucobol = false;
    for line in txt.lines() {
        let l = line.trim();
        if l.starts_with('[') {
            in_deps = l.starts_with("[dependencies")
                || l.starts_with("[build-dependencies")
                || l.starts_with("[target");
            continue;
        }
        if let Some(v) = l.strip_prefix("name = ") {
            name = v.trim().trim_matches('"').to_string();
        } else if let Some(v) = l.strip_prefix("license = ") {
            license = v.trim().trim_matches('"').to_string();
        } else if in_deps && (l.starts_with("gnucobol-rs") || l.starts_with("\"gnucobol-rs\"")) {
            links_gnucobol = true;
        }
    }
    // workspace fallback: a virtual manifest has no [package]; read the PRIMARY member under crates/
    // (prefer the member whose folder name matches the repo, else the first named member).
    if name.is_empty() {
        let repo_name = root.file_name().and_then(|n| n.to_str()).unwrap_or("").to_string();
        if let Ok(rd) = std::fs::read_dir(root.join("crates")) {
            let mut members: Vec<_> = rd.flatten().map(|e| e.path()).collect();
            members.sort();
            members.sort_by_key(|m| m.file_name().and_then(|n| n.to_str()).map(|n| n != repo_name).unwrap_or(true));
            for m in members {
                let mtxt = read_to_string(&m.join("Cargo.toml"));
                let mut mn = String::new();
                let mut ml = String::new();
                for line in mtxt.lines() {
                    let l = line.trim();
                    if let Some(v) = l.strip_prefix("name = ") {
                        mn = v.trim().trim_matches('"').to_string();
                    } else if let Some(v) = l.strip_prefix("license = ") {
                        ml = v.trim().trim_matches('"').to_string();
                    }
                }
                if !mn.is_empty() {
                    name = mn;
                    license = ml;
                    break;
                }
            }
        }
    }
    (name, license, links_gnucobol)
}

/// Scan a repo root against a policy and produce a report.
pub fn scan(root: impl AsRef<Path>, policy: &Policy) -> ScanReport {
    let root = root.as_ref();
    let (project, crate_license, links_gnucobol) = inspect_cargo(root);

    let mut findings = Vec::new();
    let mut vendored = false;
    let mut binary = false;
    let mut invokes_external_cobc = false;

    let mut files = Vec::new();
    walk(root, &mut files);
    for p in &files {
        let rel = p.strip_prefix(root).unwrap_or(p).to_string_lossy().replace('\\', "/");
        let name = p.file_name().and_then(|n| n.to_str()).unwrap_or("");
        let low = rel.to_ascii_lowercase();

        // external-oracle invocation: a real process spawn of the cobc binary -- detected as the contiguous
        // call literal, so a tool that merely mentions the two tokens separately is not flagged.
        if name.ends_with(".rs") && read_to_string(p).contains("new(\"cobc") {
            invokes_external_cobc = true;
        }

        // vendored GnuCOBOL/libcob SOURCE (a real implementation tree, not a string mention)
        let is_src_ext = name.ends_with(".c") || name.ends_with(".h") || name.ends_with(".cob") || name.ends_with(".cpy");
        if (low.contains("gnucobol") || low.contains("libcob")) && (is_src_ext || low.contains("gnucobol-3.")) {
            vendored = true;
            findings.push(Finding {
                path: rel.clone(),
                kind: "vendored_gnucobol_source".into(),
                severity: "high".into(),
                detail: "GnuCOBOL/libcob source material inside the tree".into(),
            });
            continue;
        }
        // bundled GnuCOBOL/libcob BINARY
        if name == "cobc"
            || name.starts_with("libcob.so")
            || name == "libcob.a"
            || (low.contains("gnucobol") && (name.ends_with(".tar.gz") || name.ends_with(".tar.lz") || name.ends_with(".tar.xz")))
        {
            binary = true;
            findings.push(Finding {
                path: rel.clone(),
                kind: "bundled_gnucobol_binary_or_archive".into(),
                severity: "high".into(),
                detail: "GnuCOBOL binary/archive inside the tree".into(),
            });
            continue;
        }
        // LGPL/GPL license texts present in the tree (informational; e.g. a faithful-derivative crate)
        if name == "COPYING.LESSER" || name.starts_with("LGPL-") {
            findings.push(Finding {
                path: rel.clone(),
                kind: "lgpl_license_text".into(),
                severity: "low".into(),
                detail: "LGPL license text present".into(),
            });
        } else if name == "COPYING" || name.starts_with("GPL-") {
            findings.push(Finding {
                path: rel.clone(),
                kind: "gpl_license_text".into(),
                severity: "medium".into(),
                detail: "GPL license text present".into(),
            });
        }
    }

    // build.rs link directives (a behavioral link signal, not a string mention)
    let build_rs = read_to_string(&root.join("build.rs"));
    let build_links_gnu = build_rs.contains("rustc-link-lib")
        && (build_rs.contains("cob") || build_rs.contains("gnucobol"));
    if build_links_gnu {
        findings.push(Finding {
            path: "build.rs".into(),
            kind: "native_link_directive".into(),
            severity: "high".into(),
            detail: "build.rs links a cob/gnucobol native library".into(),
        });
    }
    let library_linked = links_gnucobol || build_links_gnu;
    if links_gnucobol {
        findings.push(Finding {
            path: "Cargo.toml".into(),
            kind: "gnucobol_rs_crate_dependency".into(),
            severity: "medium".into(),
            detail: "links the LGPL gnucobol-rs crate (LGPL relink obligation applies to distributed binaries)".into(),
        });
    }

    // classify the GNU boundary (the buckets must not collapse)
    let gnu_boundary = if vendored {
        GnuBoundary::GnuSourceVendored
    } else if binary {
        GnuBoundary::GnuBinaryBundled
    } else if library_linked {
        GnuBoundary::GnuLibraryLinked
    } else if invokes_external_cobc {
        GnuBoundary::ExternalOracleOnly
    } else {
        GnuBoundary::NoGnuMaterialDetected
    };

    // verdict per policy
    let license_denied = policy.deny_licenses.iter().any(|d| d == &crate_license);
    let license_review = policy.manual_review_licenses.iter().any(|d| d == &crate_license);
    let verdict = if license_denied {
        GateVerdict::Fail
    } else if vendored && !policy.allow_vendored_gnucobol_source {
        GateVerdict::Fail
    } else if binary && !policy.allow_bundled_gnucobol_binary {
        GateVerdict::Fail
    } else if library_linked && !policy.allow_link_gnucobol {
        GateVerdict::ManualReviewRequired
    } else if license_review {
        GateVerdict::ManualReviewRequired
    } else {
        GateVerdict::Pass
    };

    ScanReport {
        schema: "gpl-license-guard-receipt-v1".into(),
        project,
        crate_license,
        policy: policy.name.clone(),
        verdict,
        gnu_boundary,
        gnucobol_source_vendored: vendored,
        gnucobol_binary_bundled: binary,
        gnucobol_library_linked: library_linked,
        external_tools: if gnu_boundary == GnuBoundary::ExternalOracleOnly {
            policy.declared_external_tools.clone()
        } else {
            Vec::new()
        },
        findings,
        non_claims: non_claims(),
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn clean_forensic_crate_passes() {
        // a crate with no GNU material, no gnucobol-rs dep, permissive license -> Pass
        let dir = tempdir("clean");
        write(&dir, "Cargo.toml", "name = \"kobold-x\"\nlicense = \"Apache-2.0\"\n[dependencies]\nserde = \"1\"\n");
        write(&dir, "src/lib.rs", "pub fn f() {}\n");
        let r = scan(&dir, &Policy::commercial_boundary());
        assert_eq!(r.verdict, GateVerdict::Pass);
        assert_eq!(r.gnu_boundary, GnuBoundary::NoGnuMaterialDetected); // pure data tool, no cobc spawn
        assert!(!r.gnucobol_library_linked);
        cleanup(&dir);
    }

    #[test]
    fn external_cobc_invocation_is_oracle_only() {
        let dir = tempdir("oracle");
        write(&dir, "Cargo.toml", "name = \"kobold-y\"\nlicense = \"Apache-2.0\"\n");
        write(&dir, "src/main.rs", "fn main(){ let _ = std::process::Command::new(\"cobc\").arg(\"-x\"); }\n");
        let r = scan(&dir, &Policy::commercial_boundary());
        assert_eq!(r.gnu_boundary, GnuBoundary::ExternalOracleOnly);
        assert_eq!(r.verdict, GateVerdict::Pass);
        assert_eq!(r.external_tools, vec!["cobc".to_string()]);
        cleanup(&dir);
    }

    #[test]
    fn the_guard_does_not_self_flag() {
        // scanning this very crate must NOT report it as invoking cobc (its detector merely mentions the
        // tokens). Run against the crate's own manifest dir.
        let root = env!("CARGO_MANIFEST_DIR");
        let r = scan(root, &Policy::commercial_boundary());
        assert_eq!(r.gnu_boundary, GnuBoundary::NoGnuMaterialDetected, "the guard must not self-flag");
        assert_eq!(r.verdict, GateVerdict::Pass);
    }

    #[test]
    fn gnucobol_rs_dependency_triggers_manual_review() {
        let dir = tempdir("linked");
        write(
            &dir,
            "Cargo.toml",
            "name = \"kobold-guard\"\nlicense = \"Apache-2.0\"\n[dependencies]\ngnucobol-rs = \"0.7\"\n",
        );
        let r = scan(&dir, &Policy::commercial_boundary());
        assert_eq!(r.gnu_boundary, GnuBoundary::GnuLibraryLinked);
        assert_eq!(r.verdict, GateVerdict::ManualReviewRequired);
        assert!(r.gnucobol_library_linked);
        cleanup(&dir);
    }

    #[test]
    fn vendored_gnucobol_source_fails() {
        let dir = tempdir("vendored");
        write(&dir, "Cargo.toml", "name = \"bad\"\nlicense = \"Apache-2.0\"\n");
        write(&dir, "vendor/gnucobol/libcob/move.c", "/* cob source */\n");
        let r = scan(&dir, &Policy::commercial_boundary());
        assert_eq!(r.gnu_boundary, GnuBoundary::GnuSourceVendored);
        assert_eq!(r.verdict, GateVerdict::Fail);
        cleanup(&dir);
    }

    #[test]
    fn vendored_source_passes_under_derivative_policy() {
        // the SAME vendored-source tree that FAILs the commercial policy PASSes the lgpl-derivative policy:
        // two correct, opposite verdicts -- that is the separation, machine-checked.
        let dir = tempdir("deriv");
        write(&dir, "Cargo.toml", "name = \"gnucobol-rs\"\nlicense = \"LGPL-3.0-or-later\"\n");
        write(&dir, "research/gnucobol-3.2/libcob/move.c", "/* cob */\n");
        assert_eq!(scan(&dir, &Policy::commercial_boundary()).verdict, GateVerdict::Fail);
        let r = scan(&dir, &Policy::lgpl_faithful_derivative());
        assert_eq!(r.gnu_boundary, GnuBoundary::GnuSourceVendored); // recorded factually
        assert_eq!(r.verdict, GateVerdict::Pass); // but permitted for an LGPL derivative
        cleanup(&dir);
    }

    #[test]
    fn gpl_crate_license_is_denied() {
        let dir = tempdir("gpl");
        write(&dir, "Cargo.toml", "name = \"x\"\nlicense = \"GPL-3.0-or-later\"\n");
        let r = scan(&dir, &Policy::commercial_boundary());
        assert_eq!(r.verdict, GateVerdict::Fail);
        cleanup(&dir);
    }

    // --- tiny test fs helpers (no external deps) ---
    fn tempdir(tag: &str) -> std::path::PathBuf {
        let d = std::env::temp_dir().join(format!("klg-test-{tag}"));
        let _ = std::fs::remove_dir_all(&d);
        std::fs::create_dir_all(&d).unwrap();
        d
    }
    fn write(dir: &Path, rel: &str, content: &str) {
        let p = dir.join(rel);
        std::fs::create_dir_all(p.parent().unwrap()).unwrap();
        std::fs::write(p, content).unwrap();
    }
    fn cleanup(dir: &Path) {
        let _ = std::fs::remove_dir_all(dir);
    }
}