Skip to content

chore: license pnpr and pnpm-agent under PolyForm Shield 1.0.0#12082

Merged
zkochan merged 4 commits into
mainfrom
chore/pnpr-shield-license
May 30, 2026
Merged

chore: license pnpr and pnpm-agent under PolyForm Shield 1.0.0#12082
zkochan merged 4 commits into
mainfrom
chore/pnpr-shield-license

Conversation

@zkochan

@zkochan zkochan commented May 30, 2026

Copy link
Copy Markdown
Member

What

Relicenses the two source-available server components of the monorepo from MIT to the PolyForm Shield License 1.0.0:

  • pnpr/ — the pnpm-compatible npm registry server (Rust).
  • pnpm-agent (agent/server) — the pnpm agent server for server-side resolution + store-aware downloads (TypeScript).

Everything else in the monorepo stays MIT.

Under Shield, both may be run, modified, and self-hosted on-premise for any purpose, free of charge — including internal business use. The only thing forbidden is providing a product that competes with them (e.g. reselling or offering them as a hosted service). This reserves the commercial/competing rights to the copyright holder while keeping the software free for everyone else to use. Shield has no forced conversion to open source, so control is retained indefinitely.

Open-core split (clients stay MIT)

The agent protocol's client halves stay MIT so the protocol remains openly implementable:

  • @pnpm/agent.client (agent/client, TypeScript) — MIT.
  • pacquet/crates/agent-client (Rust) — MIT.

Only the servers are Shield.

Changes

pnpr (Rust):

  • pnpr/LICENSE.md — PolyForm Shield 1.0.0 text with a Required Notice: copyright line.
  • pnpr/crates/{pnpr,pnpr-fixtures}/Cargo.toml — stop inheriting the workspace MIT (license.workspace = truelicense-file = "../../LICENSE.md"). Not published to crates.io.
  • pnpr/npm/pnpr/ — the @pnpm/pnpr wrapper now declares "SEE LICENSE IN LICENSE.md" and ships a bundled LICENSE.md.

pnpm-agent (TypeScript):

  • agent/server/LICENSE.md — PolyForm Shield 1.0.0.
  • agent/server/package.json"license": "SEE LICENSE IN LICENSE.md".
  • .meta-updater/src/index.ts — exempt pnpm-agent from meta-updater's MIT normalization via a SOURCE_AVAILABLE_PKGS set, so lint:meta stays green. (Verified: meta-updater --test and eslint both pass.)
  • Changeset + README note.

Shared:

  • Root README.md notes the carve-out. The root LICENSE is left pristine MIT so GitHub/SPDX detection keeps recognizing the project as MIT.

No source-available code ships in the MIT CLI

pnpm-agent is only a devDependency of the pnpm CLI (used in tests), not a runtime dependency — so no Shield-licensed code is bundled into the MIT-licensed pnpm artifact.

How it relies on MIT's sublicense right

The existing pnpr/ and agent/server code (including other contributors' commits) was MIT. MIT permits sublicensing, so the combined work can be redistributed under Shield while the MIT attribution is retained — no clawback of already-published MIT versions.

Notes / review asks

  • Not open source — please don't let these be described as such anywhere.
  • These name a personal licensor inside the community repo. That's a deliberate strategy/governance decision for the maintainer, and worth a lawyer's sign-off before merge.
  • Cross-license dev/test deps: the MIT client packages and the MIT pnpm CLI dev-depend on the Shield servers for tests. Dev-deps don't ship, so the distributed MIT artifacts are unaffected — flagging it for a conscious "yes, fine."
  • The Required Notice: line currently reads Copyright 2026 Zoltan Kochan (https://kochan.io) in all three LICENSE.md copies — adjust if you'd prefer a company/different URL.

Contribution terms (relicensing flexibility)

Added pnpr/CONTRIBUTING.md and agent/server/CONTRIBUTING.md. Contributions to those source-available trees are accepted under the same PolyForm Shield License plus a grant letting the licensor relicense them under other terms. This keeps the option open to later relax to a more permissive source-available license (e.g. Elastic License v2) or offer a separate commercial license without per-contributor consent — important because Shield (unlike MIT) doesn't give the project owner sublicensing rights over inbound contributions by default.


Written by an agent (Claude Code, claude-opus-4-8).

Summary by CodeRabbit

  • Documentation

    • Added comprehensive licensing documentation for pnpm-agent and pnpr packages
    • Updated contribution guidelines specifying source-available license terms
    • Added trademark notices clarifying independence from npm, GitHub, and Microsoft
  • Chores

    • Updated package license metadata across manifests to reference new license files

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0b9666d1-e110-42be-8d41-3843f9584e68

📥 Commits

Reviewing files that changed from the base of the PR and between 394ee27 and 43d97f4.

📒 Files selected for processing (15)
  • .changeset/pnpm-agent-shield-license.md
  • .meta-updater/src/index.ts
  • README.md
  • agent/server/CONTRIBUTING.md
  • agent/server/LICENSE.md
  • agent/server/README.md
  • agent/server/package.json
  • pnpr/CONTRIBUTING.md
  • pnpr/LICENSE.md
  • pnpr/crates/pnpr-fixtures/Cargo.toml
  • pnpr/crates/pnpr/Cargo.toml
  • pnpr/crates/pnpr/README.md
  • pnpr/npm/pnpr/LICENSE.md
  • pnpr/npm/pnpr/README.md
  • pnpr/npm/pnpr/package.json
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: ubuntu-latest / Node.js 24 / Test
  • GitHub Check: Lint and Test (windows-latest)
  • GitHub Check: Lint and Test (macos-latest)
🧰 Additional context used
📓 Path-based instructions (1)
pnpr/**/pnpr/**/Cargo.toml

📄 CodeRabbit inference engine (pnpr/AGENTS.md)

Declare new shared dependencies in the root [workspace.dependencies] and use { workspace = true } in pnpr crate's Cargo.toml

Files:

  • pnpr/crates/pnpr/Cargo.toml
🧠 Learnings (2)
📚 Learning: 2026-05-26T21:01:06.666Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11966
File: .changeset/require-tarball-integrity.md:6-6
Timestamp: 2026-05-26T21:01:06.666Z
Learning: In pnpm lockfile-related release notes/docs (especially changeset markdown), preserve URL hostnames exactly as they appear in pnpm-lock.yaml tarball resolution entries—keep hosts like `codeload.github.com`, `bitbucket.org`, and `gitlab.com` in lowercase. Do not “correct” them to title-case/preserve brand capitalization (e.g., LanguageTool rules like `GITHUB` capitalization) because these are literal URL fragments, not platform brand names.

Applied to files:

  • .changeset/pnpm-agent-shield-license.md
📚 Learning: 2026-05-05T23:03:04.286Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11479
File: __utils__/scripts/package.json:6-9
Timestamp: 2026-05-05T23:03:04.286Z
Learning: The pattern cross-env NODE_OPTIONS="$NODE_OPTIONS ..." in package.json scripts is an established convention in the pnpm/pnpm repository and is used across many packages (e.g., fs/hard-link-dir, worker, __utils__/scripts). Do not flag this as a cross-platform issue in individual files; if a change is needed, apply it as a repo-wide change in a separate PR. Scope this guidance to all package.json files in the repo; use the minimatch pattern '**/package.json' to identify relevant files and review changes at the repository level rather than per-file.

Applied to files:

  • agent/server/package.json
  • pnpr/npm/pnpr/package.json
🪛 LanguageTool
pnpr/npm/pnpr/LICENSE.md

[style] ~8-~8: Consider a more concise word here.
Context: ...han (https://kochan.io) ## Acceptance In order to get any license under these terms, you ...

(IN_ORDER_TO_PREMIUM)


[grammar] ~85-~85: Ensure spelling is correct
Context: ...iliates** means the other organizations than an organization has control over, is un...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

pnpr/LICENSE.md

[style] ~8-~8: Consider a more concise word here.
Context: ...han (https://kochan.io) ## Acceptance In order to get any license under these terms, you ...

(IN_ORDER_TO_PREMIUM)


[grammar] ~85-~85: Ensure spelling is correct
Context: ...iliates** means the other organizations than an organization has control over, is un...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

agent/server/LICENSE.md

[style] ~8-~8: Consider a more concise word here.
Context: ...han (https://kochan.io) ## Acceptance In order to get any license under these terms, you ...

(IN_ORDER_TO_PREMIUM)


[grammar] ~85-~85: Ensure spelling is correct
Context: ...iliates** means the other organizations than an organization has control over, is un...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🔇 Additional comments (16)
README.md (1)

230-230: LGTM!

.changeset/pnpm-agent-shield-license.md (1)

1-6: LGTM!

.meta-updater/src/index.ts (2)

445-445: LGTM!


25-30: ⚡ Quick win

Update SOURCE_AVAILABLE_PKGS for @pnpm/pnpr (or confirm this updater won’t touch it).

pnpr/npm/pnpr/package.json already has "license": "SEE LICENSE IN LICENSE.md", but .meta-updater/src/index.ts’s SOURCE_AVAILABLE_PKGS currently contains only 'pnpm-agent'. If .meta-updater processes @pnpm/pnpr during the release flow, its license would be rewritten to "MIT" unless it’s added to the set.

  • If @pnpm/pnpr is included in the updater’s target package manifests, add @pnpm/pnpr (matching manifest.name) to SOURCE_AVAILABLE_PKGS; if not, no change is needed.
agent/server/LICENSE.md (1)

1-92: LGTM!

agent/server/CONTRIBUTING.md (1)

1-36: LGTM!

agent/server/README.md (1)

174-193: LGTM!

agent/server/package.json (1)

9-9: LGTM!

pnpr/LICENSE.md (1)

1-92: LGTM!

pnpr/crates/pnpr-fixtures/Cargo.toml (1)

10-10: LGTM!

pnpr/crates/pnpr/README.md (1)

7-24: LGTM!

pnpr/npm/pnpr/LICENSE.md (1)

1-92: LGTM!

pnpr/npm/pnpr/package.json (1)

9-9: LGTM!

Also applies to: 21-24

pnpr/npm/pnpr/README.md (1)

80-86: LGTM!

pnpr/crates/pnpr/Cargo.toml (1)

7-7: LICENSE.md path in pnpr/crates/pnpr/Cargo.toml exists

license-file = "../../LICENSE.md" resolves to pnpr/LICENSE.md, and the file is present.

pnpr/CONTRIBUTING.md (1)

35-36: Verify referenced documentation files exist. pnpr/AGENTS.md and pacquet/CONTRIBUTING.md (referenced as ../pacquet/CONTRIBUTING.md) are present at the specified paths.


📝 Walkthrough

Walkthrough

This PR adopts the PolyForm Shield License 1.0.0 for pnpm-agent and pnpr components while keeping the main monorepo MIT-licensed. It updates the meta-updater to conditionally emit license fields, adds license documents and contribution guides to both components, and updates package metadata across Rust and npm packages.

Changes

PolyForm Shield License adoption for pnpm-agent and pnpr

Layer / File(s) Summary
Root monorepo license documentation
README.md
Root README documents the license exception for pnpr/, clarifying it is PolyForm Shield 1.0.0 instead of MIT.
Meta-updater conditional license field
.changeset/pnpm-agent-shield-license.md, .meta-updater/src/index.ts
Changeset entry and meta-updater code introduce SOURCE_AVAILABLE_PKGS set to conditionally emit SEE LICENSE IN LICENSE.md instead of MIT for designated packages.
pnpm-agent (agent/server) licensing and contribution terms
agent/server/LICENSE.md, agent/server/CONTRIBUTING.md, agent/server/README.md, agent/server/package.json
Full PolyForm Shield License text, contribution terms with inbound relicensing grant, license and trademark documentation in README, and updated package license metadata.
pnpr directory licensing across Rust and npm packages
pnpr/LICENSE.md, pnpr/CONTRIBUTING.md, pnpr/crates/pnpr/Cargo.toml, pnpr/crates/pnpr-fixtures/Cargo.toml, pnpr/crates/pnpr/README.md, pnpr/npm/pnpr/LICENSE.md, pnpr/npm/pnpr/package.json, pnpr/npm/pnpr/README.md
PolyForm Shield License text and contribution guide for pnpr directory; Cargo.toml updates to reference concrete license file; npm package LICENSE.md, updated package.json license and files list, and README with license and trademark notices.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops through licensing bright,
Shield and forms align just right,
Pnpr's source shines free to see,
While MIT guards the rest with glee!
License walls need papers true,
Documentation through and through! 📋✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: licensing two components (pnpr and pnpm-agent) under PolyForm Shield 1.0.0 instead of MIT.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/pnpr-shield-license

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Relicense the pnpr/ subtree (the pnpm-compatible registry server) from
MIT to the source-available PolyForm Shield License 1.0.0. The rest of
the monorepo stays MIT. pnpr may be run, modified, and self-hosted for
any purpose except providing a product that competes with it.

- Add pnpr/LICENSE.md (PolyForm Shield 1.0.0).
- Override the inherited workspace MIT in the pnpr crates via
  license-file.
- Point the @pnpm/pnpr npm wrapper at the bundled LICENSE.md.
- Note the carve-out in the root README (the root LICENSE stays
  pristine MIT so license detection keeps recognizing it).
@zkochan zkochan force-pushed the chore/pnpr-shield-license branch from 90d252d to bc83964 Compare May 30, 2026 19:17
Relicense the pnpm-agent server (agent/server) from MIT to the
source-available PolyForm Shield License 1.0.0, matching pnpr. The
@pnpm/agent.client package stays MIT so the agent protocol remains
openly implementable.

- Add agent/server/LICENSE.md (PolyForm Shield 1.0.0).
- Set the package license to "SEE LICENSE IN LICENSE.md".
- Exempt pnpm-agent from meta-updater's MIT normalization via a
  SOURCE_AVAILABLE_PKGS set, so lint:meta stays green.
- Note the carve-out in the agent/server README + add a changeset.

pnpm-agent is only a devDependency of the pnpm CLI, so no source-
available code ships in the MIT-licensed CLI artifact.
@zkochan zkochan changed the title chore(pnpr): license under PolyForm Shield 1.0.0 chore: license pnpr and pnpm-agent under PolyForm Shield 1.0.0 May 30, 2026
zkochan added 2 commits May 30, 2026 22:23
… and pnpm-agent

Contributions to the source-available trees (pnpr/, agent/server) are
accepted under the same PolyForm Shield License plus a grant letting the
licensor relicense them under other terms. This preserves the option to
later relax to a more permissive source-available license or offer a
separate commercial license without per-contributor consent.

- Add pnpr/CONTRIBUTING.md and agent/server/CONTRIBUTING.md.
- Point to them from each tree's README license section.
…npm-agent

State that pnpr and pnpm-agent are not affiliated with or endorsed by
npm, Inc., GitHub, or Microsoft, and that "npm" is used only to describe
registry-protocol compatibility. Also add a License section to the
published @pnpm/pnpr npm wrapper README.
@zkochan zkochan marked this pull request as ready for review May 30, 2026 20:40
@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Review Summary by Qodo

License pnpr and pnpm-agent under PolyForm Shield 1.0.0

✨ Enhancement 📝 Documentation

Grey Divider

Walkthroughs

Description
• Relicense pnpr/ and pnpm-agent from MIT to PolyForm Shield 1.0.0
• Add PolyForm Shield LICENSE.md files to both source-available components
• Establish contribution terms with relicensing grant for future flexibility
• Update package manifests and meta-updater to reflect new license declarations
• Document license carve-outs in README files and contribution guidelines
Diagram
flowchart LR
  MIT["MIT Monorepo"] -->|"Carve-out"| Shield["PolyForm Shield 1.0.0"]
  Shield -->|"pnpr/"| Registry["pnpr Registry Server"]
  Shield -->|"agent/server"| Agent["pnpm-agent Server"]
  MIT -->|"Stays MIT"| Client["@pnpm/agent.client"]
  MIT -->|"Stays MIT"| CLI["pnpm CLI"]
  ContribTerms["Contribution Terms + Relicensing Grant"] -->|"Enables"| FutureRelicense["Future License Changes"]

Loading

Grey Divider

File Changes

1. pnpr/LICENSE.md Licensing +91/-0

Add PolyForm Shield License text

pnpr/LICENSE.md


2. pnpr/CONTRIBUTING.md 📝 Documentation +36/-0

Define contribution terms with relicensing grant

pnpr/CONTRIBUTING.md


3. pnpr/crates/pnpr/Cargo.toml ⚙️ Configuration changes +1/-1

Override workspace MIT with Shield license-file

pnpr/crates/pnpr/Cargo.toml


View more (12)
4. pnpr/crates/pnpr-fixtures/Cargo.toml ⚙️ Configuration changes +1/-1

Override workspace MIT with Shield license-file

pnpr/crates/pnpr-fixtures/Cargo.toml


5. pnpr/crates/pnpr/README.md 📝 Documentation +19/-0

Document Shield license and usage restrictions

pnpr/crates/pnpr/README.md


6. pnpr/npm/pnpr/package.json ⚙️ Configuration changes +3/-2

Update license field and bundle LICENSE.md

pnpr/npm/pnpr/package.json


7. pnpr/npm/pnpr/README.md 📝 Documentation +8/-0

Document Shield license and trademark notice

pnpr/npm/pnpr/README.md


8. pnpr/npm/pnpr/LICENSE.md Licensing +91/-0

Add PolyForm Shield License text for npm package

pnpr/npm/pnpr/LICENSE.md


9. agent/server/LICENSE.md Licensing +91/-0

Add PolyForm Shield License text

agent/server/LICENSE.md


10. agent/server/CONTRIBUTING.md 📝 Documentation +35/-0

Define contribution terms with relicensing grant

agent/server/CONTRIBUTING.md


11. agent/server/package.json ⚙️ Configuration changes +1/-1

Update license field to Shield license reference

agent/server/package.json


12. agent/server/README.md 📝 Documentation +20/-0

Document Shield license and usage restrictions

agent/server/README.md


13. .meta-updater/src/index.ts ✨ Enhancement +8/-1

Exempt source-available packages from MIT normalization

.meta-updater/src/index.ts


14. .changeset/pnpm-agent-shield-license.md 📝 Documentation +5/-0

Add changeset for pnpm-agent license change

.changeset/pnpm-agent-shield-license.md


15. README.md 📝 Documentation +1/-1

Note Shield license carve-out for pnpr and pnpm-agent

README.md


Grey Divider

Qodo Logo

@zkochan zkochan merged commit d99b725 into main May 30, 2026
20 checks passed
@zkochan zkochan deleted the chore/pnpr-shield-license branch May 30, 2026 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants