All Docs
Getting StartedCalmony Sanctions MonitorUpdated March 11, 2026

DEP-16: Adding a LICENSE File to the Repository

DEP-16: Adding a LICENSE File to the Repository

Compliance control: DEP-16 — License File Present
Introduced in: v0.1.45

Background

A routine dependency licensing audit (control DEP-16) found that the repository root does not contain a LICENSE, LICENSE.md, or LICENSE.txt file.

While the project is marked private in package.json, the absence of any licence file creates three areas of risk:

  1. IP ownership ambiguity — Without an explicit licence, it is legally unclear who owns the code and what rights contributors or contractors have over it.
  2. Contributor/contractor clarity — Anyone who writes code for the project has no documented terms governing how that work may be used.
  3. Open-source attribution compliance — Several common dependency licences (e.g. MIT, BSD) require copyright notices to be preserved. A missing project licence can complicate audits that verify this requirement is met.

Recommended Action

Add a LICENSE file to the root of the repository. Choose the type that matches your intent:

Option A — Proprietary / All-Rights-Reserved (recommended for private commercial SaaS)

Create a file named LICENSE at the repository root with content similar to:

Copyright (c) [YEAR] [Company Name]. All rights reserved.

This software and its source code are proprietary and confidential.
Unauthorised copying, modification, distribution, or use of this software,
via any medium, is strictly prohibited without the express written
permission of [Company Name].

Option B — UNLICENSED marker (minimum viable fix)

If a full proprietary licence is not yet available, add an UNLICENSED notice to signal explicit intent:

UNLICENSED

Copyright (c) [YEAR] [Company Name]. All rights reserved.
This repository is not open-source. No licence is granted to any
third party to use, copy, modify, or distribute this software.

This mirrors the "license": "UNLICENSED" field that can be set in package.json.

Option C — Open-source licence (if source-available is intended)

If the project is intended to be source-available or open-source, use a standard SPDX licence:

  • MIT — permissive, widely understood
  • Apache-2.0 — permissive with explicit patent grant

The full text for any SPDX licence can be obtained from https://spdx.org/licenses/.

Verification

Once a licence file is added, control DEP-16 will pass. To verify locally:

# Confirm the file exists at the repo root
ls LICENSE*

The file should appear as one of: LICENSE, LICENSE.md, or LICENSE.txt.

Related