LicenseLeak Changelog

SBOM upload, directory rollup, PR-diff scans, and an org workbench

Tue, 19 May 2026 14:00:00 GMT

A batch of capabilities customers have been asking for landed together: upload an existing SPDX or CycloneDX SBOM instead of a working tree, see findings rolled up by directory, gate PRs on the risk delta of just the changed files via a GitHub Check Run, and (for Agency orgs) get a workbench that rolls up every repo in your org with admin re-grading and an audit log.

Hosted scans now accept an SPDX 2.3 or CycloneDX 1.5 SBOM (`licenseleak scan --sbom sbom.json` or `POST /api/scans` with an `sbom` field) so teams that already produce one in CI can skip the tarball upload - see /docs#cli for the flag table.
Public reports and the dashboard ship a directory rollup view that aggregates findings by folder, with a one-click SPDX compatibility verdict per directory against your project license - verdict rules at /docs/compatibility.
PR-diff and incremental scan modes: pass `--mode diff --base --head ` (or let the GitHub App do it for you) to scan only the changed files and publish a Check Run with the risk delta and a link to the full report - see /docs#github-app.
Pro and Agency can upload a private allow-corpus of internal code so first-party copy doesn't surface as a finding, with per-org scoping and revocable keys - wiring at /docs#org-workbench.
Live scan progress is now streamed over SSE on the scan detail page, no more polling for the spinner.
Agency orgs get a new workbench at `/org/posture` that rolls up every repo, plus an admin re-grading flow with a tamper-evident audit log of every verdict change - see /docs#org-workbench.
Behind the scenes: the snippet matcher is now backed by an LLM ensemble with a content-addressed cache, which keeps p95 scan latency flat as the corpus grows. The AI-provenance scan mode is still beta - see /ai-provenance for the accuracy caveats.

Scanner now graded against 40 real upstream repos, nightly

Sun, 17 May 2026 14:00:00 GMT

Beyond the hand-labeled fixture suite, the nightly adversarial corpus now clones 40 live production codebases - Linux, LLVM, MongoDB, gecko-dev, Blender, Wagtail, Akaunting, Bitwarden, and 32 more - and re-runs the full scanner end-to-end. Latest run: 40/40 green, precision/recall/F1 = 100%.

Added a real-repo adversarial corpus that re-clones 40 verified upstream projects from their public remotes each night and grades every scanner finding against the project's actual license.
Fixed three classification regressions surfaced by the new corpus: Akaunting (BUSL-1.1) misclassification, the §13 Affero clause body matching too aggressively against GPL bodies, and stub-redirect LICENSE files (doc/license, licenses/) being missed.
Self-serve readouts on /security and the home FAQ now publish both the hand-labeled benchmark and the real-repo corpus side by side, with a link to the GitHub Actions nightly so anyone can re-verify it.

See exactly why the crawler is paused, at a glance

Mon, 11 May 2026 14:00:00 GMT

When the nightly corpus crawler stops, the admin dashboard now tells you whether it crashed, was held back by the smoke gate, or has just been latched on a stale state - and for how long.

/admin/corpus shows a distinct banner when the smoke gate is actively blocking a run, with a one-click link to the failing GitHub Actions smoke run and both override paths spelled out.
Same page now surfaces how long any freshness alert has been open ("open since 12h ago"), so you can tell a fresh blip from a multi-day outage without scrolling Slack.
The deadman pinger now alerts on consecutive failures rather than a single hiccup - fewer false 3am pages.
Admin can configure optional reputation sources (deps.dev, OSV) from a real form instead of editing env vars.

Scanner accuracy: harder copy-paste, more permissive licenses, fewer false-cleans

Sun, 10 May 2026 14:00:00 GMT

A run of accuracy work - recovering obfuscated copy-paste, detecting more permissive licenses on vendored files, and refusing to claim "all clear" on repos we couldn't fully parse.

Recovers oversized GCC-style copy-paste through window-sliced indexing - the three hardest obfuscated copy-paste fixtures we had now match.
First-class detection for MPL-2.0, LGPL-with-exception, ISC, and BSD-2-Clause on vendored files; severity language calibrated for permissive-ish copyleft.
Public reports use a three-state coverage header - "all clear", "scope-limited", or "could not parse" - so a parser failure no longer reads as a clean bill of health.
Stops mislabelling Rust and Go scans as "scope-limited" now that those ecosystems are first-class.
Nightly cargo + Go license cache refresh from the real registries, with an alert when the refresh stops ticking.
Drift guard: a new copyleft baseline test catches a new GPL/AGPL dep sneaking in through a transitive bump.

Brand-matched PDF reports, fewer dead links, friendlier failures

Sat, 09 May 2026 14:00:00 GMT

The signed PDF now matches the site, signed reports stop linking to sources that have since vanished, and a few rough edges on the marketing pages are gone.

PDF reports redesigned to match the site - Inter and Space Mono throughout, plus a fix for a signature-integrity edge case on multi-page reports.
Signed reports drop "matched source" links that 404 at view time, so what's printed always resolves.
PR Checks tab now gets a self-scan summary comment so reviewers see scanner status without leaving GitHub.
When a repo is too large to scan in your tier's time budget, you now get an explanatory dialog with next steps instead of a generic failure.
Sitemap freshness bot keeps `` honest without cosmetic churn; /bot SEO and the API reference page render styled again; footer © and a handful of marketing copy fixes.

CLI 0.2.0 - offline-by-default, made obvious

Thu, 07 May 2026 14:00:00 GMT

The CLI was already offline-by-default for local scans; now it says so out loud, and the docs spell out exactly when (and why) it ever talks to the network.

After a successful local scan, `npx licenseleak scan .` now prints a one-line confirmation that no network requests were made.
New `--no-hints` flag suppresses that line for scripts that grep stdout. JSON output (`--format json`) is unaffected - still pure JSON.
README and `/docs` now list every command and flag that triggers an outbound request - `--remote`, GitHub URLs, and `licenseleak whoami`. Nothing else does.
Published as `licenseleak@0.2.0` on npm.
Homepage: privacy reassurance now sits directly under the scan form, the trust strip drops the "SOC-ready" phrasing for a concrete "source deleted in <90s" claim, and the FAQ answers the "why not build it myself?" question head-on.

Launch-readiness check and a quieter ops dashboard

Mon, 04 May 2026 14:00:00 GMT

One command tells us whether we're safe to ship. The admin dashboard now shows the result and trims its own history.

`pnpm launch:check` runs every pre-flight gate (Stripe portal, scanner corpus, queue, Slack) in one shot.
Result is now pinned to the admin home so the team can see go/no-go at a glance.
Ops alert history auto-trims so the table can't grow unbounded between launches.
Seven small testing fixes consolidated to remove flakes from the CI suite.

Founder-ops Slack alerting, daily digest, and a Stripe portal canary

Mon, 27 Apr 2026 14:00:00 GMT

Real-time Slack pings the moment something breaks, plus an end-of-day digest so nothing slips.

Slack alerts on first-time interest signups, scan failures, and outages.
Daily digest summarising scans, signups, and any alerts that fired.
Stripe Customer Portal config is now auto-checked on boot - broken billing pages won't reach customers.

Track demand for new git hosts, opt out of scan emails

Mon, 20 Apr 2026 14:00:00 GMT

Tell us which git host you wish we supported, and decide whether you want a per-scan email.

Settings now has a one-click opt-out for scan-complete emails.
When you paste a URL from a host we don't support yet, we capture it as a vote and surface totals to the team.
Self-service FAQ, friendlier failure email copy, and a cleaner support inbox routing.

Multi-host email capture and a CLI escape hatch for unsupported hosts

Mon, 13 Apr 2026 14:00:00 GMT

Can't find your code on GitHub? Drop us your host and pipe the folder through the CLI in the meantime.

When you paste an unsupported host, we capture your email and notify you the day we add it.
`npx licenseleak scan . --remote` works for any local folder, regardless of what host it lives on.

"Trusted by" social proof and a 50% testimonial credit

Mon, 06 Apr 2026 14:00:00 GMT

Leave us a testimonial after a scan, get half your scan credit back. Plus a tighter scan-time experience for paid plans.

Post-scan testimonial flow with an automatic 50% credit on approval.
Homepage Trusted-by section pulls from real customer logos.
Per-tier scan time limits and clearer messages when a scan brushes the ceiling.

Catch copyleft Java, Kotlin, and Gradle dependencies

Mon, 30 Mar 2026 14:00:00 GMT

AGPL/GPL libraries hidden in Maven and Gradle builds now show up in your report.

First-class detection for copyleft JVM libraries declared in `pom.xml`.
Groovy `build.gradle` parser for the same coverage on Gradle projects.
Healthchecks v4.2 added as a third pinned real-repo smoke test fixture.

Scanner memory cut, lockfile parsing streamed

Mon, 23 Mar 2026 14:00:00 GMT

Big monorepos no longer push the scanner over its memory budget.

Per-file scanner memory reduced - average resident set is roughly half what it was.
Stream parsing for `composer.lock`, `Pipfile.lock`, `Cargo.lock`, and `Gemfile.lock` - no more loading huge lockfiles into RAM.
Scanner memory is now measured in the production-built worker, not just CI.
Fixed a false positive where TypeScript's `watchPublic.ts` was being flagged as GPL.

Quieter dashboard, admin landing page, claims notifications

Mon, 16 Mar 2026 14:00:00 GMT

Stop the 403/503 noise from the dashboard and give the admin team a real home page.

Dashboard no longer spams 403s and 503s when you load it on a slow network.
Admin nav links are hidden for non-admin accounts.
New admin landing page, plus email notifications to the team when a claim is filed.
Flaky scanner webhook delivery retry tests stabilised.

Promotion codes, paid-credit routing, and live Stripe keys

Mon, 09 Mar 2026 14:00:00 GMT

We're on live Stripe with promo code support and a smoother post-checkout flow.

Promotion codes now work on every checkout session.
Paid-credit routing fixed - credit lands on the right account immediately after checkout.
Live Stripe keys and production prices wired in.
Heartbeat monitoring with automated outage alerts is now running 24/7.

Clerk integration docs, logo and tab-title fixes

Mon, 02 Mar 2026 14:00:00 GMT

Small but visible polish across the marketing pages and our auth setup.

Auth now uses the Replit-managed Clerk integration; docs updated to match.
Fixed the broken logo and stale tab title that showed up on a few pages.
Updated the social-share image so links posted to Twitter/LinkedIn look right.

Vector index can be disabled when AI is unavailable

Mon, 23 Feb 2026 14:00:00 GMT

If the AI integration goes down, scans keep working with the deterministic matcher.

Operator flag to disable the vector index when the AI integration is unreachable.
Scanner falls back to deterministic AST matching with no extra config.
User email is now captured at signup and backfilled for older accounts (used for transactional notifications).

False-positive gating on every PR

Mon, 16 Feb 2026 14:00:00 GMT

We now run a vendored mini-corpus on every pull request - a regression in precision blocks the merge.

Vendored mini-corpus catches scanner false positives before they ship.
One-command refresh keeps the noise-floor pins current.
Real public monorepo added as a smoke test so we always test against something we don't control.

Polyglot lockfile coverage and the 50k-file pipeline gate

Mon, 09 Feb 2026 14:00:00 GMT

Scanner now has a real test budget against real repositories, not just synthetic fixtures.

Polyglot lockfile coverage matrix (npm, pip, gem, cargo, composer) under one test.
Memory ceiling regression gate runs the full pipeline against 50k files.
Snippet matcher noise-floor test on 50k real OSS files.
Robustness test for 100MB lockfiles - they no longer hang the worker.

Fail-closed scanner pipeline and CLI walk warnings

Mon, 02 Feb 2026 14:00:00 GMT

If any phase of a scan fails, we stop and tell you - never silently skip findings.

Pre-clone size gate now applies fail-closed for all tiers, public and private.
CLI surfaces warnings during the directory walk so you know which files were skipped.
Pipeline phases now hard-fail on unexpected errors rather than partial-completing.

Local CLI quickstart on the dashboard and pricing page

Mon, 26 Jan 2026 14:00:00 GMT

Discover the `npx licenseleak` CLI without leaving the product.

Dashboard onboarding now documents the local CLI in three lines.
Pricing page shows scoped API keys and the CLI quickstart side-by-side.
Automated accessibility audit runs against every marketing route.

Outbound webhook SSRF fix, public-endpoint DoS hardening

Mon, 19 Jan 2026 14:00:00 GMT

Three security findings remediated and a billing-bypass closed.

Outbound webhooks now block private-network targets (SSRF fix) and enforce per-tier delivery rules.
Public endpoints (share, verify, leaderboard) hardened against denial-of-service.
Closed a billing entitlement bypass on the scan-retry endpoint.

Per-key API scopes and leak detection

Mon, 12 Jan 2026 14:00:00 GMT

Issue least-privilege keys for CI and revoke them per environment.

API keys are now scoped to roles like `scan:submit` or `read-only`.
If a key shows up in an unexpected place or hasn't been used in 90 days, we flag it.
Failed inbound webhook deliveries surface in the admin dashboard for triage.

`npx licenseleak` CLI and push-triggered scans

Mon, 05 Jan 2026 14:00:00 GMT

A local-first CLI that runs the same scanner you get on the website, plus auto-scans on every push.

`npx licenseleak` works offline against any local folder, no signup required for the public path.
Push-triggered scans show on each repo card so you always see the latest result.
Configure auto-scan branches and skip-when-no-deps from the UI.

Auto-scan on every push, with a GitHub account section in Settings

Mon, 22 Dec 2025 14:00:00 GMT

Connect GitHub once and we run a fresh scan every time you push to a watched branch.

GitHub App connection is now managed from a dedicated Settings section.
Auto-scan triggers on push events with no per-repo configuration required.
Self-serve API key generation for Agency and Diligence plans.

Inline GitHub connect on the dashboard and scan flow

Mon, 15 Dec 2025 14:00:00 GMT

Hit a private repo and need GitHub access? Connect right there - no detour.

Inline GitHub connect button appears on the dashboard repo card and on scan failure pages.
Repo URL pasted before signup is now persisted through Clerk and reappears on the new-scan page.

Diligence sales pipeline: admin UI and spam blocking

Mon, 08 Dec 2025 14:00:00 GMT

Real lead management for the Diligence tier, with obvious spam filtered before it hits the inbox.

Admin view for browsing, contacting, and closing Diligence sales leads.
Honeypot + heuristic spam blocking on the Diligence sales form.
Status page shows real incidents from the ops log instead of a hardcoded "all good."

Verifiable demo report and per-user scan-complete webhook

Mon, 01 Dec 2025 14:00:00 GMT

Try the signed-PDF flow without uploading anything, and get a webhook when your scan is done.

Demo report at `/r/acme-co-payments-api` you can verify end-to-end without signing up.
Per-user, HMAC-signed scan-complete webhook for any plan that wants one.

/.well-known/security.txt and a breach-response runbook

Mon, 24 Nov 2025 14:00:00 GMT

If you find a vulnerability, you now have a documented way to tell us.

Published `/.well-known/security.txt` with reporting contacts and policy.
Internal breach-response runbook so the team isn't improvising under pressure.

Real per-day uptime on the status page

Mon, 17 Nov 2025 14:00:00 GMT

The /status sparkline reflects actual measured availability, not a placeholder.

Per-day API uptime tracked from real request logs.
Status sparkline updates daily and feeds the homepage "system secure" badge.
Diligence sales form now writes to a real submission endpoint.

Consent gate for non-essential SDKs and JSON-LD for SEO

Mon, 10 Nov 2025 14:00:00 GMT

Analytics and chat widgets only load after consent, and search engines now have machine-readable context for our pages.

Consent gate helper means non-essential SDKs (analytics, chat) don't load before you accept.
JSON-LD structured data added to home, about, faq, and security for richer search snippets.

Audited /security claims and unique social-share previews

Mon, 03 Nov 2025 14:00:00 GMT

Every claim on the trust page now maps to something we actually do, and every page has its own social-share image.

Audited and corrected the /security trust page so every line maps to running code.
Each page generates a unique Open Graph preview image.
Product screenshot added to the About page.

GDPR cookie banner and a real /status page

Mon, 27 Oct 2025 14:00:00 GMT

Compliance basics done properly - and the status page reflects real signals.

GDPR-compliant cookie / consent banner with granular categories.
/status page now reflects real uptime signals - no fake 100%.
Replaced the placeholder licenseleak.example domain everywhere with the real domain.

Product screenshots on home and pricing, /security trust page

Mon, 20 Oct 2025 14:00:00 GMT

You can see the product before clicking sign-up, and we have a dedicated trust page.

Home and pricing pages now show real product screenshots, not just text.
New /security page documents how we handle code, encryption, and access.
Scan-complete email is wired up properly (or removed where the promise wasn't being kept).

Launched SEO, Open Graph, robots and sitemap

Mon, 13 Oct 2025 14:00:00 GMT

Search engines and social cards now have everything they need.

Per-page meta tags, Open Graph, Twitter cards, canonical URLs.
robots.txt and sitemap.xml shipped.
Automated tests for the LicenseLeak fix-PR generator added to CI.

Dashboard fails loudly, failed scans auto-refund

Mon, 06 Oct 2025 14:00:00 GMT

When something goes wrong, the product tells you - and your money comes back.

Dashboard now surfaces an obvious error when the API returns HTML (typically a deploy hiccup) instead of silently breaking.
Failed Stripe-paid scans are now auto-refunded via real Stripe refunds.
Share-link upgrade nudge appears inside the app when you'd benefit from a higher tier.

Rate limits work correctly across multiple replicas

Mon, 29 Sep 2025 14:00:00 GMT

We can scale the API horizontally without the rate limiter getting confused.

Rate limiting now uses a shared store so it stays consistent across replicas.
Snippet matcher detects longer and renamed copyleft snippets that previously slipped through.
Admin ops dashboard shows queue health (depth, lag, oldest job).

Launch-day load test and the high-demand banner

Mon, 22 Sep 2025 14:00:00 GMT

We rehearsed launch-day traffic and added a banner so users know when we're catching up.

Launch-day load and queue stress test run against staging - results captured for next time.
"High demand" banner appears on the dashboard during launch-day spikes so users aren't confused by extra wait.
Real Stripe refunds for failed paid scans (replacing the placeholder credit flow).

Account-deletion confirmation email and SSRF hardening

Mon, 15 Sep 2025 14:00:00 GMT

We confirm destructive actions and we don't let scans phone home to private networks.

Confirmation email when you delete your account, with a 30-day grace period.
Repo cloning hardened against SSRF and abuse - private IPs and link-local addresses are blocked.

Scan failure UX, async completion notifications, retention policy

Mon, 08 Sep 2025 14:00:00 GMT

When something fails, we tell you what to do. And we now publish exactly what we keep.

Scan failure pages explain what happened and the next step (retry, contact us, switch tier).
Async completion notifications via email when a long scan finishes.
Data retention and repo-privacy policy published.
API client code generator repaired so SDK users get correct types again.

Scanner corpus validation and an uptime page

Mon, 01 Sep 2025 14:00:00 GMT

Real validation of what we detect, and a public page showing whether we're up.

Scanner corpus populated and validated end-to-end with precision/recall numbers.
Public /status page with uptime history and current incidents.
Removed fictional testimonials from the landing page (we'll bring real ones back later).

Legal pages and end-to-end tests

Mon, 25 Aug 2025 14:00:00 GMT

Privacy, Terms, and an MSA you can read - plus broad e2e coverage.

Privacy Policy, Terms of Service, and Master Service Agreement published.
Broad end-to-end Playwright suite covering signup → scan → refund → admin.
Pricing page display logic updated to match plan changes.

Scanner engine: AST fingerprinting and signed PDF reports

Mon, 18 Aug 2025 14:00:00 GMT

The first real version of the scanner engine - AST shingles, vector ANN, signed reports.

AST shingle fingerprinting normalised so renames and reformats don't hide a copyleft span.
Approximate-nearest-neighbor index over a curated AGPL/GPL corpus.
Signed SHA-256 PDF report you can drop into a data room.
Risk summary on every scan result and social proof on the home page.

Foundation: API, database, auth, billing

Mon, 04 Aug 2025 14:00:00 GMT

The first ship of the LicenseLeak product - sign up, pay, run a scan.

Postgres-backed API with Clerk auth and Stripe billing.
Three-tier pricing (Free / Pro / Agency) wired through entitlements.
Webhook security and weekly stats reporting from day one.
End-to-end license scanning happy path against public GitHub repos.