From 189bfa5e2de508fb13d095e408a1d63594e0b1d7 Mon Sep 17 00:00:00 2001
From: Cameron Cooke <web@cameroncooke.com>
Date: Wed, 4 Mar 2026 09:22:57 +0000
Subject: [PATCH 1/2] docs: add AXe and IDB third-party license notices

---
 CHANGELOG.md         |  1 -
 README.md            |  1 +
 THIRD_PARTY_LICENSES | 37 +++++++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 THIRD_PARTY_LICENSES

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3a1f9312..8c4ee52f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -318,4 +318,3 @@ Please note that the UI automation features are an early preview and currently i
 ## [v1.0.1] - 2025-04-02
 - Initial release of XcodeBuildMCP
 - Basic support for building iOS and macOS applications
-
diff --git a/README.md b/README.md
index 977ada5a..20aaf655 100644
--- a/README.md
+++ b/README.md
@@ -368,3 +368,4 @@ The CLI uses a per-workspace daemon for stateful operations (log capture, debugg
 ## Licence
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+Third-party licensing notices (including AXe and Meta's IDB MIT attributions) are in [THIRD_PARTY_LICENSES](THIRD_PARTY_LICENSES).
diff --git a/THIRD_PARTY_LICENSES b/THIRD_PARTY_LICENSES
new file mode 100644
index 00000000..8416b2fd
--- /dev/null
+++ b/THIRD_PARTY_LICENSES
@@ -0,0 +1,37 @@
+This project depends on third-party open source software.
+
+---------------------------------------------------------------------
+
+AXe
+https://github.com/cameroncooke/AXe
+
+Copyright (c) Cameron Cooke
+
+Licensed under the MIT License.
+
+---------------------------------------------------------------------
+
+Facebook IDB
+https://github.com/facebook/idb
+
+Copyright (c) Meta Platforms, Inc. and affiliates.
+
+Licensed under the MIT License:
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

From 07afd42dfd6259686c6e0319695533870d1b7c87 Mon Sep 17 00:00:00 2001
From: Cameron Cooke <web@cameroncooke.com>
Date: Wed, 4 Mar 2026 09:41:23 +0000
Subject: [PATCH 2/2] Add third-party package license docs

---
 README.md                                     |   1 +
 THIRD_PARTY_PACKAGE_LICENSES.md               | 198 ++++++++++++++++++
 package.json                                  |   2 +
 .../generate-third-party-package-licenses.mjs |  39 ++++
 4 files changed, 240 insertions(+)
 create mode 100644 THIRD_PARTY_PACKAGE_LICENSES.md
 create mode 100644 scripts/generate-third-party-package-licenses.mjs

diff --git a/README.md b/README.md
index 20aaf655..c3e82cad 100644
--- a/README.md
+++ b/README.md
@@ -369,3 +369,4 @@ The CLI uses a per-workspace daemon for stateful operations (log capture, debugg
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
 Third-party licensing notices (including AXe and Meta's IDB MIT attributions) are in [THIRD_PARTY_LICENSES](THIRD_PARTY_LICENSES).
+Generated production npm package attributions are in [THIRD_PARTY_PACKAGE_LICENSES](THIRD_PARTY_PACKAGE_LICENSES.md) (refresh with `npm run license:report`).
diff --git a/THIRD_PARTY_PACKAGE_LICENSES.md b/THIRD_PARTY_PACKAGE_LICENSES.md
new file mode 100644
index 00000000..62e3079e
--- /dev/null
+++ b/THIRD_PARTY_PACKAGE_LICENSES.md
@@ -0,0 +1,198 @@
+# Third-Party Package Licenses
+
+Generated at: 2026-03-04T09:40:24.809Z
+
+This file is generated from production npm dependencies.
+
+| Package | License | Repository |
+| --- | --- | --- |
+| @apm-js-collab/code-transformer@0.8.2 | Apache-2.0 | https://github.com/apm-js-collab/orchestrion-js |
+| @apm-js-collab/tracing-hooks@0.3.1 | Apache-2.0 | https://github.com/apm-js-collab/tracing-hooks |
+| @clack/core@1.0.1 | MIT | https://github.com/bombshell-dev/clack |
+| @clack/prompts@1.0.1 | MIT | https://github.com/bombshell-dev/clack |
+| @hono/node-server@1.19.9 | MIT | https://github.com/honojs/node-server |
+| @modelcontextprotocol/sdk@1.26.0 | MIT | https://github.com/modelcontextprotocol/typescript-sdk |
+| @opentelemetry/api-logs@0.207.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/api-logs@0.211.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/api@1.9.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/context-async-hooks@2.5.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/core@2.5.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/instrumentation-amqplib@0.58.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-connect@0.54.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-dataloader@0.28.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-express@0.59.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-fs@0.30.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-generic-pool@0.54.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-graphql@0.58.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-hapi@0.57.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-http@0.211.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/instrumentation-ioredis@0.59.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-kafkajs@0.20.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-knex@0.55.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-koa@0.59.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-lru-memoizer@0.55.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-mongodb@0.64.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-mongoose@0.57.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-mysql@0.57.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-mysql2@0.57.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-pg@0.63.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-redis@0.59.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-tedious@0.30.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation-undici@0.21.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/instrumentation@0.207.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/instrumentation@0.211.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/redis-common@0.38.2 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @opentelemetry/resources@2.5.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/sdk-trace-base@2.5.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/semantic-conventions@1.39.0 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js |
+| @opentelemetry/sql-common@0.41.2 | Apache-2.0 | https://github.com/open-telemetry/opentelemetry-js-contrib |
+| @prisma/instrumentation@7.2.0 | Apache-2.0 | https://github.com/prisma/prisma |
+| @sentry/cli-darwin@3.1.0 | FSL-1.1-MIT | https://github.com/getsentry/sentry-cli |
+| @sentry/cli@3.1.0 | FSL-1.1-MIT | https://github.com/getsentry/sentry-cli |
+| @sentry/core@10.38.0 | MIT | https://github.com/getsentry/sentry-javascript |
+| @sentry/node-core@10.38.0 | MIT | https://github.com/getsentry/sentry-javascript |
+| @sentry/node@10.38.0 | MIT | https://github.com/getsentry/sentry-javascript |
+| @sentry/opentelemetry@10.38.0 | MIT | https://github.com/getsentry/sentry-javascript |
+| @types/connect@3.4.38 | MIT | https://github.com/DefinitelyTyped/DefinitelyTyped |
+| @types/mysql@2.15.27 | MIT | https://github.com/DefinitelyTyped/DefinitelyTyped |
+| @types/node@22.17.1 | MIT | https://github.com/DefinitelyTyped/DefinitelyTyped |
+| @types/pg-pool@2.0.7 | MIT | https://github.com/DefinitelyTyped/DefinitelyTyped |
+| @types/pg@8.15.6 | MIT | https://github.com/DefinitelyTyped/DefinitelyTyped |
+| @types/tedious@4.0.14 | MIT | https://github.com/DefinitelyTyped/DefinitelyTyped |
+| accepts@2.0.0 | MIT | https://github.com/jshttp/accepts |
+| acorn-import-attributes@1.9.5 | MIT | https://github.com/xtuc/acorn-import-attributes |
+| acorn@8.15.0 | MIT | https://github.com/acornjs/acorn |
+| ajv-formats@3.0.1 | MIT | https://github.com/ajv-validator/ajv-formats |
+| ajv@8.18.0 | MIT | https://github.com/ajv-validator/ajv |
+| ansi-regex@5.0.1 | MIT | https://github.com/chalk/ansi-regex |
+| ansi-styles@4.3.0 | MIT | https://github.com/chalk/ansi-styles |
+| balanced-match@4.0.4 | MIT | https://github.com/juliangruber/balanced-match |
+| big-integer@1.6.52 | Unlicense | https://github.com/peterolson/BigInteger.js |
+| body-parser@2.2.1 | MIT | https://github.com/expressjs/body-parser |
+| bplist-parser@0.3.2 | MIT | https://github.com/nearinfinity/node-bplist-parser |
+| brace-expansion@5.0.3 | MIT | https://github.com/juliangruber/brace-expansion |
+| bytes@3.1.2 | MIT | https://github.com/visionmedia/bytes.js |
+| call-bind-apply-helpers@1.0.2 | MIT | https://github.com/ljharb/call-bind-apply-helpers |
+| call-bound@1.0.4 | MIT | https://github.com/ljharb/call-bound |
+| chokidar@5.0.0 | MIT | https://github.com/paulmillr/chokidar |
+| cjs-module-lexer@2.2.0 | MIT | https://github.com/nodejs/cjs-module-lexer |
+| cliui@8.0.1 | ISC | https://github.com/yargs/cliui |
+| color-convert@2.0.1 | MIT | https://github.com/Qix-/color-convert |
+| color-name@1.1.4 | MIT | https://github.com/colorjs/color-name |
+| content-disposition@1.0.0 | MIT | https://github.com/jshttp/content-disposition |
+| content-type@1.0.5 | MIT | https://github.com/jshttp/content-type |
+| cookie-signature@1.2.2 | MIT | https://github.com/visionmedia/node-cookie-signature |
+| cookie@0.7.2 | MIT | https://github.com/jshttp/cookie |
+| cors@2.8.5 | MIT | https://github.com/expressjs/cors |
+| cross-spawn@7.0.6 | MIT | https://github.com/moxystudio/node-cross-spawn |
+| debug@4.4.3 | MIT | https://github.com/debug-js/debug |
+| depd@2.0.0 | MIT | https://github.com/dougwilson/nodejs-depd |
+| dunder-proto@1.0.1 | MIT | https://github.com/es-shims/dunder-proto |
+| ee-first@1.1.1 | MIT | https://github.com/jonathanong/ee-first |
+| emoji-regex@8.0.0 | MIT | https://github.com/mathiasbynens/emoji-regex |
+| encodeurl@2.0.0 | MIT | https://github.com/pillarjs/encodeurl |
+| es-define-property@1.0.1 | MIT | https://github.com/ljharb/es-define-property |
+| es-errors@1.3.0 | MIT | https://github.com/ljharb/es-errors |
+| es-object-atoms@1.1.1 | MIT | https://github.com/ljharb/es-object-atoms |
+| escalade@3.2.0 | MIT | https://github.com/lukeed/escalade |
+| escape-html@1.0.3 | MIT | https://github.com/component/escape-html |
+| etag@1.8.1 | MIT | https://github.com/jshttp/etag |
+| eventsource-parser@3.0.3 | MIT | https://github.com/rexxars/eventsource-parser |
+| eventsource@3.0.7 | MIT | git://git@github.com/EventSource/eventsource |
+| express-rate-limit@8.2.1 | MIT | https://github.com/express-rate-limit/express-rate-limit |
+| express@5.2.1 | MIT | https://github.com/expressjs/express |
+| fast-deep-equal@3.1.3 | MIT | https://github.com/epoberezkin/fast-deep-equal |
+| fast-uri@3.1.0 | BSD-3-Clause | https://github.com/fastify/fast-uri |
+| finalhandler@2.1.0 | MIT | https://github.com/pillarjs/finalhandler |
+| forwarded-parse@2.1.2 | MIT | https://github.com/lpinca/forwarded-parse |
+| forwarded@0.2.0 | MIT | https://github.com/jshttp/forwarded |
+| fresh@2.0.0 | MIT | https://github.com/jshttp/fresh |
+| function-bind@1.1.2 | MIT | https://github.com/Raynos/function-bind |
+| get-caller-file@2.0.5 | ISC | https://github.com/stefanpenner/get-caller-file |
+| get-intrinsic@1.3.0 | MIT | https://github.com/ljharb/get-intrinsic |
+| get-proto@1.0.1 | MIT | https://github.com/ljharb/get-proto |
+| gopd@1.2.0 | MIT | https://github.com/ljharb/gopd |
+| has-symbols@1.1.0 | MIT | https://github.com/inspect-js/has-symbols |
+| hasown@2.0.2 | MIT | https://github.com/inspect-js/hasOwn |
+| hono@4.12.3 | MIT | https://github.com/honojs/hono |
+| http-errors@2.0.1 | MIT | https://github.com/jshttp/http-errors |
+| iconv-lite@0.7.0 | MIT | https://github.com/pillarjs/iconv-lite |
+| import-in-the-middle@2.0.6 | Apache-2.0 | https://github.com/nodejs/import-in-the-middle |
+| inherits@2.0.4 | ISC | https://github.com/isaacs/inherits |
+| ip-address@10.0.1 | MIT | https://github.com/beaugunderson/ip-address |
+| ipaddr.js@1.9.1 | MIT | https://github.com/whitequark/ipaddr.js |
+| is-fullwidth-code-point@3.0.0 | MIT | https://github.com/sindresorhus/is-fullwidth-code-point |
+| is-promise@4.0.0 | MIT | https://github.com/then/is-promise |
+| isexe@2.0.0 | ISC | https://github.com/isaacs/isexe |
+| jose@6.1.3 | MIT | https://github.com/panva/jose |
+| json-schema-traverse@1.0.0 | MIT | https://github.com/epoberezkin/json-schema-traverse |
+| json-schema-typed@8.0.2 | BSD-2-Clause | https://github.com/RemyRylan/json-schema-typed |
+| math-intrinsics@1.1.0 | MIT | https://github.com/es-shims/math-intrinsics |
+| media-typer@1.1.0 | MIT | https://github.com/jshttp/media-typer |
+| merge-descriptors@2.0.0 | MIT | https://github.com/sindresorhus/merge-descriptors |
+| mime-db@1.54.0 | MIT | https://github.com/jshttp/mime-db |
+| mime-types@3.0.1 | MIT | https://github.com/jshttp/mime-types |
+| minimatch@9.0.7 | ISC | https://github.com/isaacs/minimatch |
+| module-details-from-path@1.0.4 | MIT | https://github.com/watson/module-details-from-path |
+| ms@2.1.3 | MIT | https://github.com/vercel/ms |
+| negotiator@1.0.0 | MIT | https://github.com/jshttp/negotiator |
+| object-assign@4.1.1 | MIT | https://github.com/sindresorhus/object-assign |
+| object-inspect@1.13.4 | MIT | https://github.com/inspect-js/object-inspect |
+| on-finished@2.4.1 | MIT | https://github.com/jshttp/on-finished |
+| once@1.4.0 | ISC | https://github.com/isaacs/once |
+| parseurl@1.3.3 | MIT | https://github.com/pillarjs/parseurl |
+| path-key@3.1.1 | MIT | https://github.com/sindresorhus/path-key |
+| path-to-regexp@8.2.0 | MIT | https://github.com/pillarjs/path-to-regexp |
+| pg-int8@1.0.1 | ISC | https://github.com/charmander/pg-int8 |
+| pg-protocol@1.11.0 | MIT | https://github.com/brianc/node-postgres |
+| pg-types@2.2.0 | MIT | https://github.com/brianc/node-pg-types |
+| picocolors@1.1.1 | ISC | https://github.com/alexeyraspopov/picocolors |
+| pkce-challenge@5.0.0 | MIT | https://github.com/crouchcd/pkce-challenge |
+| postgres-array@2.0.0 | MIT | https://github.com/bendrucker/postgres-array |
+| postgres-bytea@1.0.1 | MIT | https://github.com/bendrucker/postgres-bytea |
+| postgres-date@1.0.7 | MIT | https://github.com/bendrucker/postgres-date |
+| postgres-interval@1.2.0 | MIT | https://github.com/bendrucker/postgres-interval |
+| progress@2.0.3 | MIT | https://github.com/visionmedia/node-progress |
+| proxy-addr@2.0.7 | MIT | https://github.com/jshttp/proxy-addr |
+| proxy-from-env@1.1.0 | MIT | https://github.com/Rob--W/proxy-from-env |
+| qs@6.14.2 | BSD-3-Clause | https://github.com/ljharb/qs |
+| range-parser@1.2.1 | MIT | https://github.com/jshttp/range-parser |
+| raw-body@3.0.2 | MIT | https://github.com/stream-utils/raw-body |
+| readdirp@5.0.0 | MIT | https://github.com/paulmillr/readdirp |
+| require-directory@2.1.1 | MIT | https://github.com/troygoode/node-require-directory |
+| require-from-string@2.0.2 | MIT | https://github.com/floatdrop/require-from-string |
+| require-in-the-middle@8.0.1 | MIT | https://github.com/nodejs/require-in-the-middle |
+| router@2.2.0 | MIT | https://github.com/pillarjs/router |
+| safe-buffer@5.2.1 | MIT | https://github.com/feross/safe-buffer |
+| safer-buffer@2.1.2 | MIT | https://github.com/ChALkeR/safer-buffer |
+| send@1.2.0 | MIT | https://github.com/pillarjs/send |
+| serve-static@2.2.0 | MIT | https://github.com/expressjs/serve-static |
+| setprototypeof@1.2.0 | ISC | https://github.com/wesleytodd/setprototypeof |
+| shebang-command@2.0.0 | MIT | https://github.com/kevva/shebang-command |
+| shebang-regex@3.0.0 | MIT | https://github.com/sindresorhus/shebang-regex |
+| side-channel-list@1.0.0 | MIT | https://github.com/ljharb/side-channel-list |
+| side-channel-map@1.0.1 | MIT | https://github.com/ljharb/side-channel-map |
+| side-channel-weakmap@1.0.2 | MIT | https://github.com/ljharb/side-channel-weakmap |
+| side-channel@1.1.0 | MIT | https://github.com/ljharb/side-channel |
+| sisteransi@1.0.5 | MIT | https://github.com/terkelg/sisteransi |
+| statuses@2.0.2 | MIT | https://github.com/jshttp/statuses |
+| string-width@4.2.3 | MIT | https://github.com/sindresorhus/string-width |
+| strip-ansi@6.0.1 | MIT | https://github.com/chalk/strip-ansi |
+| toidentifier@1.0.1 | MIT | https://github.com/component/toidentifier |
+| type-is@2.0.1 | MIT | https://github.com/jshttp/type-is |
+| undici-types@6.21.0 | MIT | https://github.com/nodejs/undici |
+| undici@6.23.0 | MIT | https://github.com/nodejs/undici |
+| unpipe@1.0.0 | MIT | https://github.com/stream-utils/unpipe |
+| uuid@11.1.0 | MIT | https://github.com/uuidjs/uuid |
+| vary@1.1.2 | MIT | https://github.com/jshttp/vary |
+| which@2.0.2 | ISC | https://github.com/isaacs/node-which |
+| wrap-ansi@7.0.0 | MIT | https://github.com/chalk/wrap-ansi |
+| wrappy@1.0.2 | ISC | https://github.com/npm/wrappy |
+| xcodebuildmcp@2.1.0 | MIT | https://github.com/getsentry/XcodeBuildMCP |
+| xtend@4.0.2 | MIT | https://github.com/Raynos/xtend |
+| y18n@5.0.8 | ISC | https://github.com/yargs/y18n |
+| yaml@2.8.2 | ISC | https://github.com/eemeli/yaml |
+| yargs-parser@21.1.1 | ISC | https://github.com/yargs/yargs-parser |
+| yargs@17.7.2 | MIT | https://github.com/yargs/yargs |
+| zod-to-json-schema@3.25.1 | ISC | https://github.com/StefanTerdell/zod-to-json-schema |
+| zod@4.3.2 | MIT | https://github.com/colinhacks/zod |
diff --git a/package.json b/package.json
index 7257e5d5..a2504f92 100644
--- a/package.json
+++ b/package.json
@@ -37,6 +37,8 @@
     "docs:update": "npx tsx scripts/update-tools-docs.ts",
     "docs:update:dry-run": "npx tsx scripts/update-tools-docs.ts --dry-run --verbose",
     "docs:check": "node scripts/check-docs-cli-commands.js",
+    "license:report": "node scripts/generate-third-party-package-licenses.mjs",
+    "license:check": "npx -y license-checker --production --onlyAllow 'MIT;ISC;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Unlicense;FSL-1.1-MIT'",
     "test": "vitest run",
     "test:smoke": "npm run build && vitest run --config vitest.smoke.config.ts",
     "test:watch": "vitest",
diff --git a/scripts/generate-third-party-package-licenses.mjs b/scripts/generate-third-party-package-licenses.mjs
new file mode 100644
index 00000000..96e60438
--- /dev/null
+++ b/scripts/generate-third-party-package-licenses.mjs
@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+
+import { execSync } from "node:child_process";
+import { writeFileSync } from "node:fs";
+import path from "node:path";
+
+const outputPath = path.resolve(process.cwd(), "THIRD_PARTY_PACKAGE_LICENSES.md");
+
+const raw = execSync("npx -y license-checker --production --json", {
+  encoding: "utf8",
+});
+const licenses = JSON.parse(raw);
+
+const rows = Object.entries(licenses)
+  .map(([name, meta]) => {
+    const license = Array.isArray(meta.licenses)
+      ? meta.licenses.join(", ")
+      : String(meta.licenses ?? "UNKNOWN");
+    const repository = String(meta.repository ?? "");
+    return { name, license, repository };
+  })
+  .sort((a, b) => a.name.localeCompare(b.name));
+
+const now = new Date().toISOString();
+const lines = [
+  "# Third-Party Package Licenses",
+  "",
+  `Generated at: ${now}`,
+  "",
+  "This file is generated from production npm dependencies.",
+  "",
+  "| Package | License | Repository |",
+  "| --- | --- | --- |",
+  ...rows.map((row) => `| ${row.name} | ${row.license} | ${row.repository} |`),
+  "",
+];
+
+writeFileSync(outputPath, lines.join("\n"), "utf8");
+console.log(`Wrote ${rows.length} entries to ${outputPath}`);