Fix licensing vulnerabilities and strengthen freemium model legal protections (#1823)

* Update licensing documents to clarify Pro features and license validation requirements

- Enhanced the LICENSE.md to specify that Pro-licensed directories require a valid subscription and outline prohibitions against circumventing license validation.
- Updated package.json to reflect a dual license of MIT and Proprietary.
- Revised REACT-ON-RAILS-PRO-LICENSE.md to include new clauses regarding license validation and compliance.
- Modified DIRECTORY_LICENSING.md to clarify the nature of Pro features in the repository.
- Adjusted LICENSING_FAQ.md to accurately describe the licensing structure and requirements for Pro features.

* Update LICENSE.md and package.json to clarify Pro licensing terms

- Added a new section in LICENSE.md detailing the proprietary license, usage restrictions, and directories associated with Pro features.
- Updated package.json to specify the proprietary license using the SPDX identifier format.

* Refine LICENSE.md to streamline Pro licensing terms

* Refactor licensing to clearly separate MIT and Pro scopes

Implements cleaner license separation approach:
- MIT License applies to lib/react_on_rails/** (except pro/) and node_package/src/** (except pro/)
- Pro License applies exclusively to pro/ directories
- Removes contradictory language about prohibiting MIT code modification
- Clarifies that MIT code can be modified, but using it to access Pro features without a license is prohibited

Changes:
- LICENSE.md: Restructured to clearly define license scopes upfront
- DIRECTORY_LICENSING.md: Added distinction between MIT modification rights and Pro usage restrictions
- LICENSING_FAQ.md: Added FAQ explaining modification rights vs usage restrictions

This resolves the legal contradiction where MIT-licensed code included anti-circumvention restrictions,
which conflicts with MIT's grant of unrestricted modification rights.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Abanoub Ghadban <AbanoubGhadban@users.noreply.github.com>

* Fix package.json license field and add license validation mechanism examples

- Changed package.json license field to 'SEE LICENSE IN LICENSE.md' for better npm tooling compatibility
- Added 'License Validation Mechanisms' section to LICENSE.md with:
  - Description of what license validation mechanisms are (runtime checks, authentication systems, etc.)
  - Specific examples of prohibited modifications (helper.rb, utils.rb, interface files)
  - Clear statement that MIT modifications are allowed but using them to access Pro features violates the Pro License

Co-authored-by: Abanoub Ghadban <AbanoubGhadban@users.noreply.github.com>

* Update LICENSE.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update LICENSE.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* linting

* Remove examples of prohibited modifications from LICENSE.md to streamline the document and focus on the core licensing terms.

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Abanoub Ghadban <AbanoubGhadban@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: 3 people

LICENSE.md

@@ -1,16 +1,38 @@
 # Licensing
 
-- **Core**: MIT (this file)
-- **Pro**: see [REACT-ON-RAILS-PRO-LICENSE.md](./REACT-ON-RAILS-PRO-LICENSE.md)
+This repository contains code under two different licenses:
 
----
+- **Core**: MIT License (applies to most files)
+- **Pro**: React on Rails Pro License (applies to specific directories)
+
+## License Scope
+
+### MIT Licensed Code
+
+The following directories and all their contents are licensed under the **MIT License** (see full text below):
+
+- `lib/react_on_rails/` (excluding `lib/react_on_rails/pro/`)
+- `node_package/src/` (excluding `node_package/src/pro/`)
+- `node_package/lib/` (excluding `node_package/lib/pro/`)
+- All other directories in this repository not explicitly listed as Pro-licensed
 
-## MIT License for Core React on Rails
+### Pro Licensed Code
 
-This license applies to all files within this repository, with the exception of the code located in the following directories, which are licensed separately under the React on Rails Pro License:
+The following directories and all their contents are licensed under the **React on Rails Pro License**:
 
 - `lib/react_on_rails/pro/`
 - `node_package/src/pro/`
+- `node_package/lib/pro/`
+
+See [REACT-ON-RAILS-PRO-LICENSE.md](./REACT-ON-RAILS-PRO-LICENSE.md) for complete Pro license terms.
+
+**Important:** Pro-licensed code is included in this package but requires a valid React on Rails Pro subscription to use. Using Pro features without a valid license violates the React on Rails Pro License.
+
+---
+
+## MIT License
+
+This license applies to all MIT-licensed code as defined above.
 
 Copyright (c) 2017, 2018 Justin Gordon and ShakaCode  
 Copyright (c) 2015–2025 ShakaCode, LLC
@@ -41,7 +63,22 @@ SOFTWARE.
 
 ## React on Rails Pro License
 
-The code in the directories listed above is part of the React on Rails Pro framework and is licensed under the React on Rails Pro License.
-
-You can find the full text of the license agreement here:
+For Pro-licensed code (as defined in the "License Scope" section above), see:
 [REACT-ON-RAILS-PRO-LICENSE.md](./REACT-ON-RAILS-PRO-LICENSE.md)
+
+**Key Points:**
+
+- Pro features require a valid React on Rails Pro subscription for production use
+- Free use is permitted for educational, personal, and non-production purposes
+- Modifying MIT-licensed interface files is permitted under MIT terms
+- However, using those modifications to access Pro features without a valid license violates the Pro License
+
+### License Validation Mechanisms
+
+**License validation mechanisms** include but are not limited to:
+
+- Runtime checks for valid Pro subscriptions
+- Authentication systems in `lib/react_on_rails/utils.rb` and Pro TypeScript modules
+- The `react_on_rails_pro?` method and `rorPro` field generation
+
+While MIT-licensed code may be modified under MIT terms, using such modifications to access Pro features without a valid license violates the React on Rails Pro License.

REACT-ON-RAILS-PRO-LICENSE.md

@@ -1,6 +1,6 @@
 # ShakaCode React on Rails Pro – End User License Agreement (EULA)
 
-_Version 2.0 — 2025-09-06_  
+_Version 2.1 — 2025-09-25_  
 © 2015–2025 ShakaCode, LLC. All rights reserved.
 
 ---
@@ -51,7 +51,11 @@ The Organization shall not:
 
 1. redistribute or resell the Software or derivatives;
 2. remove, obfuscate, or disable required attribution;
-3. use the Software to build a directly competing product exposing substantially similar functionality.
+3. use the Software to build a directly competing product exposing substantially similar functionality;
+4. **circumvent, bypass, modify, disable, or tamper with any license validation mechanisms, license checks, or authentication systems;**
+5. **reverse engineer, decompile, or disassemble the Software for the purpose of circumventing license restrictions;**
+6. **create, use, or distribute any tools, scripts, patches, or modifications designed to enable unauthorized use of Pro features;**
+7. **attempt to access or use Pro features without a valid, active subscription.**
 
 ---
 
@@ -85,6 +89,9 @@ While subscribed, the Organization receives software updates and reasonable supp
 
 If ShakaCode reasonably suspects non-compliance, the Organization will cooperate in good faith to verify compliance, including enabling inspection for attribution presence and providing a usage statement. ShakaCode will use commercially reasonable efforts to minimize disruption.
 
+**9.1 Detailed Audits**  
+ShakaCode or a certified auditor acting on its behalf may, upon reasonable request and at ShakaCode’s expense, audit the Organization’s use of the Software to verify compliance with this Agreement. Audits may be conducted by mail, electronically, or by in-person visits during regular business hours and shall minimize disruption to the Organization’s business. If the audit reveals a material unauthorized use, the Organization shall reimburse ShakaCode for reasonable audit costs.
+
 ---
 
 ## 10. Feedback & Contributions
@@ -118,12 +125,43 @@ Direct damages are limited to amounts paid in the 12 months preceding the claim.
 
 ---
 
-## 15. Governing Law; Venue
+## 15. Indemnification
+
+The Organization agrees to defend, indemnify, and hold harmless ShakaCode and its affiliates from any claims, losses, damages, liabilities, costs, or expenses (including legal fees) arising out of the Organization’s use of the Software or breach of this Agreement.
+
+---
+
+## 16. Export Compliance
+
+The Organization agrees to comply with all applicable export laws and regulations, including restrictions on export, re-export, or redistribution of the Software.
+
+---
+
+## 17. Attorneys’ Fees and Costs
+
+In any enforcement or legal action arising under this Agreement, the prevailing party shall be entitled to recover reasonable attorneys’ fees and costs.
+
+---
+
+## 18. Governing Law; Venue
+
+This Agreement is governed by the laws of the **State of Hawaii**, USA. Exclusive jurisdiction and venue lie in the courts located therein.
+
+---
+
+## 19. Miscellaneous
+
+- **19.1 Severability**  
+  If any provision is held invalid or unenforceable, the remainder shall continue in full force.
+
+- **19.2 Waiver**  
+  Failure to enforce any provision is not a waiver of rights.
 
-Choose one: **State of Hawaii**, USA. Exclusive jurisdiction and venue lie in the courts located therein.
+- **19.3 Assignment**  
+  The Organization may not assign this Agreement without prior written consent.
 
 ---
 
-## 16. Entire Agreement; Order of Precedence
+## 20. Entire Agreement; Order of Precedence
 
 This EULA and any order (pricing/term) are the entire agreement. If there is a conflict, the order controls.

docs/DIRECTORY_LICENSING.md

@@ -12,14 +12,20 @@ All directories in the `react_on_rails` repository are MIT licensed:
 react_on_rails/
 ├── lib/react_on_rails/           # Core Ruby code (MIT)
 ├── node_package/src/             # Core JS/TS code (MIT)
-│   └── pro/                      # Pro features placeholder (MIT but references pro)
+│   └── pro/                      # Pro features with license validation (Pro licensed)
 ├── spec/                         # Core tests (MIT)
 ├── docs/                         # Documentation (MIT)
 ├── .github/                      # GitHub workflows (MIT)
 └── [all other directories]       # MIT
 ```
 
-**Exception:** The `node_package/src/pro/` directory contains placeholder code that references Pro features, but the actual Pro implementation is in the separate `react_on_rails_pro` repository.
+**Exception:** The `node_package/src/pro/` directory contains Pro implementation code licensed under the React on Rails Pro License. This code is included in the package but requires a valid Pro license to use.
+
+**Important Distinction:**
+
+- **MIT-licensed interface files** (outside `pro/` directories) can be freely modified under MIT terms
+- **Using those modifications to access Pro features** without a license violates the Pro License
+- **Pro-licensed files** (inside `pro/` directories) require a Pro license to use in any way
 
 ### react_on_rails_pro Repository - Pro Licensed
 

docs/LICENSING_FAQ.md

@@ -95,7 +95,7 @@ react_on_rails/ (monorepo root)
 
 **A:** We maintain two separate repositories:
 
-- **react_on_rails** (MIT) - Core functionality, completely free except pro directories as stated in LICENSE.md
+- **react_on_rails** (MIT + Pro) - Core functionality is MIT-licensed and completely free. Pro features (in `pro/` directories) are Pro-licensed and require a subscription for production use
 - **react_on_rails_pro** (Pro License) - Advanced features, subscription required for production
 
 ### Q: What requires a Pro subscription?
@@ -110,6 +110,14 @@ react_on_rails/ (monorepo root)
 
 See [REACT-ON-RAILS-PRO-LICENSE.md](../REACT-ON-RAILS-PRO-LICENSE.md) for complete Pro license terms.
 
+### Q: Can I modify the MIT-licensed interface files?
+
+**A:** Yes! Under the MIT license, you can freely modify any MIT-licensed files (those outside `pro/` directories). However:
+
+- **Permitted:** Modifying MIT-licensed code for your own purposes
+- **Not Permitted:** Using those modifications to access Pro features without a valid license
+- **Distinction:** The MIT license grants you modification rights, but the Pro License restricts unauthorized use of Pro features
+
 ### Q: Can I try Pro features for free?
 
 **A:** Yes! Pro license allows free use for:

package.json

@@ -118,7 +118,7 @@
     "Rails"
   ],
   "author": "justin.gordon@gmail.com",
-  "license": "MIT",
+  "license": "SEE LICENSE IN LICENSE.md",
   "bugs": {
     "url": "https://github.com/shakacode/react_on_rails/issues"
   },