Skip to content

[C29][C68] infra: license contradictions (ISC vs MIT vs no LICENSE file) and a four-way naming split #23

Description

@GFier

From the 2026-07-06 codebase audit (docs/audits/codebase-audit-2026-07-06.md, in-repo). Finding IDs are stable — cite them in fixes.

Severity: High · Status: CONFIRMED (repo-link liveness PLAUSIBLE)

C29 — license: root package.json says "license": "ISC"; root readme says MIT; website/package.json says MIT; no LICENSE file exists anywhere (verified). Until fixed, the package is effectively "all rights reserved" for any consumer whose legal review reads the contradiction. package.json's repository and the readme/website footer link to github.com/darkroomengineering/elastica while the git remote is elastic-collisions.git (GitHub redirects today, but the identities disagree).

C68 — naming: npm @darkroom.engineering/elastica · git remote elastic-collisions · directory elastic-collision · workspace packages elastic-collisions and react-elastic-collision-wrapper (the engine package has no version/main/exports — it exists only as a build-script holder) · website elastica-website. And window.elasticaVersion (website/app/layout.tsx:82) reports the website's 1.0.0 — matching no published library version, so a prod debug session gets a number that identifies nothing.

Direction

Pick MIT (the stated intent), add the LICENSE file, align package.json license + repository URL; converge naming on elastica everywhere; report the real library version or drop the global. (Open questions 14/15 in the audit.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    auditFinding from a codebase audithighHigh severityinfraRepo tooling, CI, packaging

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions