chore: replace MIT with proprietary view-only LICENSE + harden .gitignore#22
Merged
chore: replace MIT with proprietary view-only LICENSE + harden .gitignore#22
Conversation
The repo had MIT LICENSE in the working tree from `flutter create`. MIT explicitly grants "use, copy, modify, merge, publish, distribute, sublicense, and/or sell" — opposite of the copyright holder's actual intent, which is source-available for review only. Replace with a proprietary view-only / All Rights Reserved license: - Section 1 enumerates exactly what IS permitted (viewing on GitHub, cloning for offline reading, submitting issues / PRs / advisories, attributed quotation under fair use). Everything else is forbidden. - Section 2 enumerates the forbidden uses: production / commercial / personal-project use, modification, redistribution, ML training as input, reverse-engineering compiled App Store builds, and unauthorized use of project marks. - Section 4 wires inbound-equals-outbound: contributors grant the copyright holder a perpetual, sublicensable, relicensable license to incorporate their PR. - Section 5 explicitly REVOKES the prior MIT grant going forward while preserving the rights of any good-faith downloader who retained an MIT-era copy (without backwards remediation, the prior MIT remains in git history). - Section 6 routes commercial / OEM / licensing inquiries through tyler.lundeen1995@gmail.com. - Wyoming jurisdiction. Severability + canonical-file clauses. Update README.md license section to match — no lingering MIT references anywhere in the working tree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…leaks
Add a public-repo hardening block to .gitignore covering every category
of file that should never end up in source control:
- Android signing & local config: key.properties, *.jks, *.keystore,
google-services.json, local.properties, captures/
- iOS user-state, signing, Firebase: GoogleService-Info.plist,
Generated.xcconfig, **/xcuserdata/, **/*.xcuserstate, **/DerivedData/,
**/Pods/
- Apple provisioning / certificates / push: *.mobileprovision,
*.provisionprofile, *.p8, *.p12, *.cer, *.certSigningRequest
- Generic credential files: *.pem, *.key, *.crt, *.pfx,
service-account*.json, firebase-adminsdk*.json, client_secret*.json,
credentials.json, secrets/
- Env files: .env, .env.* (allow-list .env.example)
- IDE per-user state: .idea/, *.iml, .vscode/* (allow-list specific
shareable VS Code config files)
- Security-tool reports: gitleaks-report.{json,sarif},
trufflehog-report.json, .semgrep/
Verified zero existing tracked files match these patterns via
`git ls-files | grep -E ...` before the change. Verified zero
historical commits ever touched these paths via
`git log --all --full-history -- <path>` for 13 sensitive paths.
gitleaks 8.x scan: 67 commits / 0 leaks. TruffleHog 3.95.2 scan:
626 chunks / 0 verified, 0 unverified secrets. The repo is clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR prepares the repository for a public GitHub listing by replacing the scaffolded MIT license with a proprietary “view-only / all rights reserved” LICENSE, updating the README to reflect the new licensing posture, and tightening .gitignore to reduce the chance of committing credentials or local machine state.
Changes:
- Replaced the MIT
LICENSEwith a proprietary view-only license, including contribution terms and a prior-license notice. - Updated
README.mdto summarize the proprietary licensing terms and direct readers toLICENSE. - Added a “public-repo hardening” block to
.gitignoreto ignore common secret-bearing files and local artifacts.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| README.md | Updates the License section to reflect the new proprietary licensing terms. |
| LICENSE | Replaces the MIT license with a proprietary view-only license and contribution/prior-license clauses. |
| .gitignore | Adds additional ignore rules intended to prevent credential/local-state leakage before going public. |
Comment on lines
+82
to
+85
| No license is granted to use, copy, modify, or redistribute. See | ||
| [`LICENSE`](LICENSE) for the full terms, including the contribution | ||
| clause that governs pull requests and issues. Commercial / OEM / | ||
| licensing inquiries: see Section 6 of `LICENSE`. |
Comment on lines
+8
to
+11
| the "Software"), is proprietary and confidential. The Software is made | ||
| available on GitHub for the sole purpose of public review under the | ||
| terms below. NO LICENSE, EXPRESS OR IMPLIED, IS GRANTED TO ANY PERSON | ||
| OR ENTITY EXCEPT AS SPECIFICALLY SET FORTH IN THIS DOCUMENT. |
Comment on lines
+46
to
+48
| (b) Copy, modify, adapt, translate, port, or create derivative works | ||
| of the Software, whether for personal, educational, commercial, | ||
| or any other purpose. |
Comment on lines
+52
to
+55
| to any third party. The GitHub "Fork" feature is permitted only | ||
| to the extent required by GitHub's Terms of Service to enable | ||
| pull-request workflows; forks must not be used to publish, | ||
| distribute, or operate the Software independently. |
Comment on lines
+118
to
+131
| contained an MIT License notice that was committed in error and never | ||
| reflected the copyright holder's actual licensing intent. To the | ||
| maximum extent permitted by law, the copyright holder revokes any | ||
| prior MIT License grant with respect to the Software, EXCEPT that any | ||
| person who, before the date of this revision, downloaded a copy of the | ||
| Software in good-faith reliance on the MIT License notice may continue | ||
| to use that specific downloaded copy under the MIT License terms — but | ||
| must not redistribute, modify, or use any updated version of the | ||
| Software except under the proprietary terms in this file. | ||
|
|
||
| If you are unsure whether your use is covered by the prior MIT grant, | ||
| contact the copyright holder for written clarification before | ||
| proceeding. | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why now
Tyler is flipping the repo public to list it on LinkedIn. Origin/main currently ships the MIT License from the
flutter createscaffold — that explicitly grants the world the right to use, copy, modify, sublicense, and sell. Opposite of intent. This must land before visibility flips to public.Two atomic commits
chore: replace MIT with proprietary view-only / All Rights Reserved— full proprietary LICENSE (Sections 1–8: permitted uses, forbidden uses, no warranty, contribution clause, prior-MIT revocation with good-faith downloader safe-harbor, commercial-inquiries contact, Wyoming jurisdiction, severability). README.md license section updated to match.chore(security): tighten .gitignore against credential / local-state leaks— adds a public-repo-hardening block: Android signing files, iOS user-state, Apple certs, generic credentials, env files, IDE per-user state, security-tool reports.Secret audit
Verified before opening this PR:
git log --allfor 13 sensitive pathsgit ls-filesregex for credential patternsStacking note
This branches off
origin/maindirectly — drops the v1.0 commit dependency that PR #20 inherited, so the format/commitlint failures on PR #20 don't propagate here. PR #20 will be closed in favor of this once merged. Checklist doc (docs/PUBLIC_REPO_CHECKLIST.md) and remaining hygiene work from PR #20 can land in a follow-up — not blocking the public-flip.Test plan
chore:andchore(security):are valid commitlint types — should passgh repo edit --visibility public --accept-visibility-change-consequencesFollow-ups (not blocking the merge / public-flip)
ci/professional-hardening) — fixes the gitleaks pull-request perm issue + adds 6 pro security workflowsdocs/PUBLIC_REPO_CHECKLIST.mdfrom PR chore: proprietary view-only LICENSE + tightened .gitignore + go-public checklist #20 in a follow-up doc commit🤖 Generated with Claude Code