Skip to content

Code-Growers/flutter_licences_mcp

BranchesTags

Repository files navigation

Flutter Licences MCP Server

An MCP server that scans Flutter/Dart projects for their open-source dependency licences and enforces compliance with your business's approved licence list.

The Problem: AI Agents Don't Check Licences

In modern agentic development workflows, AI coding assistants add packages to your pubspec.yaml autonomously — they scaffold features, fix bugs, and prototype integrations, all without pausing to audit the licence of every package they pull in.

This creates a real legal risk. A single copyleft dependency (GPL, AGPL) sneaking into a commercial product can impose obligations you did not choose. Traditional CI gates catch this late. Agents add packages early and often.

The solution: force agents to check licences before they add a package, using this MCP server and an AGENTS.md steering file in your repo.

How It Works

  1. Install this MCP server in your AI assistant's MCP configuration.
  2. Add an AGENTS.md file to your repository root with your approved licence policy.
  3. AI agents that respect AGENTS.md will call check_licence_compliance before adding dependencies, and will stop (or warn) if a package's licence is not on your approved list.

Installation

Activate the global Dart tool:

dart pub global activate flutter_licences_mcp

Cursor

Add to .cursor/mcp.json (project) or ~/.cursor/mcp.json (global):

{
  "mcpServers": {
    "flutter_licences": {
      "command": "dart",
      "args": ["pub", "global", "run", "flutter_licences_mcp"]
    }
  }
}

Claude Code

claude mcp add --transport stdio flutter_licences_mcp -- dart pub global run flutter_licences_mcp

VS Code (GitHub Copilot / MCP extension)

Add to your workspace .vscode/mcp.json:

{
  "servers": {
    "flutter_licences": {
      "type": "stdio",
      "command": "dart",
      "args": ["pub", "global", "run", "flutter_licences_mcp"]
    }
  }
}

Ensure ~/.pub-cache/bin is on the PATH visible to your MCP host if you prefer using the executable name directly.

Available Tools

list_licences

Scans a Flutter/Dart project and returns every dependency with its resolved licence type.

Arguments

Name Type Required Default Description
rootDir string No cwd Absolute path to the project root
includeTransitive boolean No true Include transitive dependencies

Returns — array of objects, sorted by package name:

[
  {
    "package": "http",
    "version": "1.2.2",
    "dependencyType": "direct",
    "licenceType": "BSD-3-Clause",
    "source": "pub-cache"
  },
  {
    "package": "provider",
    "version": "6.1.2",
    "dependencyType": "direct",
    "licenceType": "MIT",
    "source": "pub-cache"
  },
  {
    "package": "meta",
    "version": "1.15.0",
    "dependencyType": "transitive",
    "licenceType": "BSD-3-Clause",
    "source": "pub-cache"
  }
]

check_licence_compliance

Checks every dependency against your approved licence list and returns a structured compliance report.

Arguments

Name Type Required Default Description
rootDir string No cwd Absolute path to the project root
allowedLicences string[] Yes SPDX identifiers your business permits
includeTransitive boolean No true Include transitive dependencies

Convenience aliases: "BSD" matches both BSD-2-Clause and BSD-3-Clause; "GPL" matches GPL-2.0 and GPL-3.0.

Returns

{
  "compliant":    [ ... ],
  "nonCompliant": [ ... ],
  "unknown":      [ ... ],
  "summary": {
    "total": 42,
    "compliant": 40,
    "nonCompliant": 1,
    "unknown": 1,
    "isCompliant": false,
    "allowedLicences": ["MIT", "BSD", "Apache-2.0", "ISC"]
  }
}

Licence Resolution Strategy

  1. Pub cache (~/.pub-cache/hosted/pub.dev/<name>-<version>/LICENSE) — fastest, offline, most reliable. Used whenever the project has been flutter pub get-ed.
  2. pub.dev REST API — fallback for packages not yet in the local cache (requires network).
  3. Unknown — returned when neither source yields a licence.

Supported identifier detection: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0, ISC, CC, Unlicense, EUPL.

Steering Agents with AGENTS.md

Place an AGENTS.md file (see example) at your repo root. AI agents that follow Anthropic's agent protocol, Cursor rules, or similar standards read this file before taking actions.

A minimal policy block looks like:

## Licence Policy

Before adding any new pub.dev package, call the `check_licence_compliance` MCP tool
with `allowedLicences: ["MIT", "BSD", "Apache-2.0", "ISC"]`.

- If `isCompliant` is `false`, do NOT add the package. Inform the user.
- If `licenceType` is `Unknown`, ask the user to verify before proceeding.

This turns every agent session into a licence-aware workflow without requiring changes to CI pipelines or code review checklists.

Example

See the example/ directory for a Flutter app demonstrating what a project's dependency licence report looks like when scanned by this tool.

About

An MCP server for Flutter to steer agent for package licence compliance.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages