Comfy-Org · snomiao · Nov 20, 2025
@@ -0,0 +1,77 @@
+name: "CI: OSS Compliance"
+description: "Verify OSS build compliance (license and telemetry checks)"
+
+on:
+  push:
+    branches: [main, master, dev*, core/*, desktop/*]
+  pull_request:
+    branches-ignore: [wip/*, draft/*, temp/*]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  license-check:
+    name: License Compliance
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Verify production dependency licenses
+        run: node scripts/verify-licenses.js
+
+  oss-build-check:
+    name: OSS Build Verification
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build OSS distribution
+        run: DISTRIBUTION=localhost pnpm build
+        env:
+          # Ensure we're building the OSS version
+          DISTRIBUTION: localhost
+          # Disable source maps for faster build
+          GENERATE_SOURCEMAP: false
+
+      - name: Verify OSS build compliance
+        run: node scripts/verify-oss-build.js
+
+      - name: Upload build artifacts for inspection (on failure)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: oss-build-artifacts
+          path: dist/
+          retention-days: 7
@@ -0,0 +1,194 @@
+# OSS Compliance Verification
+
+This document describes the automated compliance checks that ensure the OSS (Open Source Software) distribution of ComfyUI Frontend meets licensing and privacy requirements.
+
+## Overview
+
+The OSS build verification system consists of two main components:
+
+1. **License Compliance Check** - Ensures all production dependencies use approved open-source licenses
+2. **OSS Build Verification** - Ensures the OSS distribution doesn't contain proprietary code or telemetry
+
+## Quick Start
+
+### Run All Compliance Checks
+
+```bash
+pnpm verify:compliance
+```
+
+This command will:
+1. Check all production dependency licenses
+2. Build the OSS distribution
+3. Verify the build output doesn't contain violations
+
+### Individual Checks
+
+```bash
+# Check licenses only
+pnpm verify:licenses
+
+# Build OSS distribution
+pnpm build:oss
+
+# Verify OSS build (requires build first)
+pnpm verify:oss
+```
+
+## License Compliance
+
+### Purpose
+
+Verifies that all production dependencies use licenses compatible with ComfyUI's GPL-3.0-only license.
+
+### Script Location
+
+`scripts/verify-licenses.js`
+
+### Approved Licenses
+
+The following licenses are approved for use:
+
+- **Permissive**: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
+- **Copyleft**: GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0
+- **Public Domain**: CC0-1.0, Unlicense, WTFPL
+- And other OSI-approved licenses
+
+### How It Works
+
+1. Runs `pnpm licenses list --json --prod` to get all production dependencies
+2. Checks each license against the approved list
+3. Flags any non-compliant or unknown licenses
+4. Exits with error code 1 if violations are found
+
+### Adding New Approved Licenses
+
+If a legitimate open-source license is being flagged, edit `scripts/verify-licenses.js` and add it to the `APPROVED_LICENSES` set.
+
+## OSS Build Verification
+
+### Purpose
+
+Ensures the OSS distribution (DISTRIBUTION=localhost) doesn't contain:
+
+1. **Proprietary licensed assets** (e.g., ABCROM font files)
+2. **Telemetry code** (e.g., Mixpanel tracking)
+
+### Script Location
+
+`scripts/verify-oss-build.js`
+
+### What Gets Checked
+
+#### Proprietary Font Files
+
+- Searches for `.woff`, `.woff2`, `.ttf`, `.otf` files containing "ABCROM"
+- These fonts are proprietary and licensed only for cloud distribution
+
+#### Telemetry Code
+
+Searches JavaScript files for:
+- `mixpanel` references
+- `MixpanelTelemetryProvider` class
+- Tracking method calls (`trackWorkflow`, `trackEvent`)
+- Mixpanel API endpoints (`mp.comfy.org`)
+
+### How It Works
+
+1. Recursively scans the `dist/` directory
+2. Checks font files by filename
+3. Checks JavaScript files for telemetry code patterns
+4. Reports all violations with file locations and matches
+5. Exits with error code 1 if violations are found
+
+### Tree-Shaking Mechanism
+
+The codebase uses compile-time constants for tree-shaking:
+
+```typescript
+// src/platform/distribution/types.ts
+const DISTRIBUTION: Distribution = __DISTRIBUTION__
+export const isCloud = DISTRIBUTION === 'cloud'
+
+// src/platform/telemetry/index.ts
+if (isCloud) {
+  _telemetryProvider = new MixpanelTelemetryProvider()
+}
+```
+
+When building with `DISTRIBUTION=localhost`:
+- `isCloud` evaluates to `false`
+- Dead code elimination removes all cloud-specific code
+- Mixpanel library is never imported or bundled
+
+## CI Integration
+
+### GitHub Actions Workflow
+
+`.github/workflows/ci-oss-compliance.yaml`
+
+The workflow runs on all pushes to main/dev branches and pull requests:
+
+1. **license-check** job
+   - Installs dependencies
+   - Runs license verification
+
+2. **oss-build-check** job
+   - Installs dependencies
+   - Builds OSS distribution
+   - Runs build verification
+   - Uploads artifacts on failure for debugging
+
+### When Checks Run
+
+- On push to: `main`, `master`, `dev*`, `core/*`, `desktop/*`
+- On pull requests (except `wip/*`, `draft/*`, `temp/*`)
+
+## Troubleshooting
+
+### License Check Fails
+
+1. Review the flagged packages
+2. Check if the license is genuinely non-compliant
+3. If it's a false positive, add the license to `APPROVED_LICENSES`
+4. If it's truly non-compliant, find an alternative package
+
+### OSS Build Check Fails
+
+1. Review the violations in the output
+2. Check if cloud-specific code is being included
+3. Verify tree-shaking is working:
+   - Check `vite.config.mts` for `define` configuration
+   - Ensure `DISTRIBUTION` is set correctly
+   - Check that cloud imports are conditionally loaded
+
+### Build Artifacts
+
+If the OSS build check fails in CI, artifacts are uploaded for 7 days:
+1. Go to the failed workflow run
+2. Download "oss-build-artifacts"
+3. Inspect the files to identify violations
+
+## Adding New Cloud-Specific Code
+
+When adding code that should only be in cloud builds:
+
+1. **Place it in `src/platform/cloud/`** - Recommended approach
+2. **Use conditional imports**:
+   ```typescript
+   if (isCloud) {
+     const { CloudFeature } = await import('./cloud/CloudFeature')
+     // Use CloudFeature
+   }
+   ```
+3. **Test locally**:
+   ```bash
+   pnpm build:oss
+   pnpm verify:oss
+   ```
+
+## References
+
+- [Vite Tree-Shaking](https://vitejs.dev/guide/features.html#build-optimizations)
+- [GPL-3.0 License](https://www.gnu.org/licenses/gpl-3.0.en.html)
+- [OSI Approved Licenses](https://opensource.org/licenses/)
@@ -12,7 +12,11 @@
     "build-storybook": "storybook build",
     "build:types": "nx build --config vite.types.config.mts && node scripts/prepare-types.js",
     "build:analyze": "cross-env ANALYZE_BUNDLE=true pnpm build",
+    "build:oss": "cross-env DISTRIBUTION=localhost GENERATE_SOURCEMAP=false pnpm build",
     "build": "cross-env NODE_OPTIONS='--max-old-space-size=8192' pnpm typecheck && nx build",
+    "verify:licenses": "node scripts/verify-licenses.js",
+    "verify:oss": "node scripts/verify-oss-build.js",
+    "verify:compliance": "pnpm verify:licenses && pnpm build:oss && pnpm verify:oss",
     "size:collect": "node scripts/size-collect.js",
     "size:report": "node scripts/size-report.js",
     "collect-i18n": "pnpm exec playwright test --config=playwright.i18n.config.ts",