feat: include workspace members with different license or authorship

Workspace members that share the root package's license and author set
are covered by the top-level LICENSE-MIT / LICENSE-APACHE files and
need no separate attribution. But some workspace crates have a
different license (`gix-imara-diff` and `gix-imara-diff-01` are
vendored from upstream under Apache-2.0, not the root's
MIT-or-Apache-2.0) or different authors (`gix-config` by Edward Shen,
`gix-hashtable` by Pascal Kuthe, and several others with co-authors).
Omitting these from the manifest is a compliance gap — Apache-2.0
§4(a) and §4(c) require distributing the license and retaining
copyright notices, and MIT requires preserving the copyright notice.

Detect these automatically: for each workspace member in the resolved
dependency graph that is reachable from the `gitoxide` package (so
test-only crates like `gix-config-tests` are excluded), compare its
`license` field (SPDX-normalized, order-independent) and `authors`
set against the root package's. If either differs, include it in the
manifest and scan its source tree for LICENSE / NOTICE / AUTHORS files
exactly as we do for third-party crates. No per-crate configuration
is needed; vendoring a crate into the workspace with different
metadata is sufficient for it to be discovered.

Tests assert that `gix-imara-diff` (different license) and `gix-config`
(different author) appear, while `gix-config-tests` (not linked) and
`gitoxide` itself (the root) do not.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: EliahKagan

build.rs

@@ -52,7 +52,7 @@ mod spdx_texts;
 #[path = "gitoxide-core/src/licenses/build_support.rs"]
 mod build_support;
 
-use std::collections::HashSet;
+use std::collections::{HashMap, HashSet, VecDeque};
 use std::path::{Path, PathBuf};
 use std::process::Command;
 use std::time::{SystemTime, UNIX_EPOCH};
@@ -153,14 +153,36 @@ fn collect_manifest() -> Result<Manifest, String> {
     let metadata = cmd.exec().map_err(|e| format!("cargo metadata failed: {e}"))?;
 
     let workspace_members: HashSet<_> = metadata.workspace_members.iter().cloned().collect();
-    let mut third_party: Vec<&cargo_metadata::Package> = metadata
+
+    // Determine which packages are reachable from the `gitoxide` binary's
+    // dependency graph (as opposed to other workspace members' graphs).
+    // This matters because some workspace members (e.g. test crates) are
+    // never linked into gix/ein and shouldn't appear in the manifest.
+    let reachable = reachable_from_root(&metadata, "gitoxide")?;
+
+    let root_pkg = metadata
         .packages
         .iter()
-        .filter(|p| !workspace_members.contains(&p.id) && p.source.is_some())
+        .find(|p| p.name == "gitoxide")
+        .ok_or("gitoxide package not found in metadata")?;
+
+    // Collect third-party deps (non-workspace, sourced) as before, PLUS
+    // workspace members whose license or authorship differs from the root
+    // package and that are actually linked into the binary.
+    let mut to_attribute: Vec<&cargo_metadata::Package> = metadata
+        .packages
+        .iter()
+        .filter(|p| {
+            if workspace_members.contains(&p.id) {
+                reachable.contains(&p.id) && needs_separate_attribution(p, root_pkg)
+            } else {
+                p.source.is_some()
+            }
+        })
         .collect();
-    third_party.sort_by(|a, b| a.name.cmp(&b.name).then_with(|| a.version.cmp(&b.version)));
+    to_attribute.sort_by(|a, b| a.name.cmp(&b.name).then_with(|| a.version.cmp(&b.version)));
 
-    let crates: Vec<CrateLicense> = third_party.into_iter().map(build_crate_entry).collect();
+    let crates: Vec<CrateLicense> = to_attribute.into_iter().map(build_crate_entry).collect();
 
     Ok(Manifest {
         crates,
@@ -204,6 +226,72 @@ fn build_crate_entry(p: &cargo_metadata::Package) -> CrateLicense {
     }
 }
 
+/// BFS from the named root package through the resolve graph, returning
+/// every package ID reachable from it. This lets us distinguish workspace
+/// members that are linked into the binary from those that only exist as
+/// standalone workspace members (e.g. test crates).
+fn reachable_from_root(
+    metadata: &cargo_metadata::Metadata,
+    root_name: &str,
+) -> Result<HashSet<cargo_metadata::PackageId>, String> {
+    let resolve = metadata
+        .resolve
+        .as_ref()
+        .ok_or("cargo metadata produced no resolve graph")?;
+
+    let root_id = metadata
+        .packages
+        .iter()
+        .find(|p| p.name == root_name)
+        .map(|p| &p.id)
+        .ok_or_else(|| format!("package `{root_name}` not found in metadata"))?;
+
+    let deps_of: HashMap<&cargo_metadata::PackageId, Vec<&cargo_metadata::PackageId>> = resolve
+        .nodes
+        .iter()
+        .map(|n| (&n.id, n.deps.iter().map(|d| &d.pkg).collect()))
+        .collect();
+
+    let mut reachable = HashSet::new();
+    let mut queue = VecDeque::new();
+    queue.push_back(root_id.clone());
+    while let Some(id) = queue.pop_front() {
+        if !reachable.insert(id.clone()) {
+            continue;
+        }
+        if let Some(deps) = deps_of.get(&id) {
+            for dep_id in deps {
+                queue.push_back((*dep_id).clone());
+            }
+        }
+    }
+    Ok(reachable)
+}
+
+/// Return `true` if a workspace member's license or authorship differs
+/// from the root package's and so requires its own attribution entry in the
+/// manifest. The comparison normalises SPDX expressions (so `MIT OR
+/// Apache-2.0` and `Apache-2.0 OR MIT` are treated as equivalent) and
+/// compares author sets order-independently.
+fn needs_separate_attribution(pkg: &cargo_metadata::Package, root: &cargo_metadata::Package) -> bool {
+    // Compare normalized SPDX id sets.
+    match (&pkg.license, &root.license) {
+        (Some(pkg_lic), Some(root_lic)) => {
+            let pkg_ids = build_support::parse_spdx_ids(pkg_lic);
+            let root_ids = build_support::parse_spdx_ids(root_lic);
+            if pkg_ids != root_ids {
+                return true;
+            }
+        }
+        (None, None) => {}
+        _ => return true, // one declares a license, the other doesn't
+    }
+    // Compare author sets (order-independent).
+    let pkg_authors: HashSet<&str> = pkg.authors.iter().map(String::as_str).collect();
+    let root_authors: HashSet<&str> = root.authors.iter().map(String::as_str).collect();
+    pkg_authors != root_authors
+}
+
 fn enabled_top_level_features() -> Vec<String> {
     // Cargo exposes each enabled feature as `CARGO_FEATURE_<NAME>` where the
     // name is uppercased and hyphens become underscores. These are features of

src/licenses/embedded.rs

@@ -145,6 +145,48 @@ mod tests {
         );
     }
 
+    /// Workspace members with different license or authorship must appear
+    /// in the manifest alongside third-party deps. `gix-imara-diff` is
+    /// vendored from upstream under Apache-2.0 (not the root's
+    /// `MIT OR Apache-2.0`) with a different author — it is the strongest
+    /// case for separate attribution. `gix-config` has the same license
+    /// but a different sole author (Edward Shen). Both must be present.
+    ///
+    /// Test crates like `gix-config-tests` share authorship traits but
+    /// are never linked into the binary; they must NOT appear.
+    #[test]
+    fn workspace_members_with_different_attribution_are_included() {
+        let manifest = load().expect("load manifest");
+        let names: std::collections::BTreeSet<&str> = manifest.crates.iter().map(|c| c.name.as_str()).collect();
+
+        // Apache-2.0-only vendored crate — different license AND author.
+        assert!(
+            names.contains("gix-imara-diff"),
+            "vendored workspace member `gix-imara-diff` (Apache-2.0, different author) \
+             must appear in the manifest",
+        );
+
+        // Same license, different sole author.
+        assert!(
+            names.contains("gix-config"),
+            "workspace member `gix-config` (different author: Edward Shen) \
+             must appear in the manifest",
+        );
+
+        // Test crate — different author but not linked into the binary.
+        assert!(
+            !names.contains("gix-config-tests"),
+            "test workspace member `gix-config-tests` must NOT appear in \
+             the manifest (not linked into the binary)",
+        );
+
+        // Root package itself must never appear.
+        assert!(
+            !names.contains("gitoxide"),
+            "root package `gitoxide` must not appear in its own manifest",
+        );
+    }
+
     /// `build.rs` derives `feature_profile` from the `CARGO_FEATURE_*` env
     /// set at build time. The test binary is compiled with the same feature
     /// set (via `cargo test --features X`), so `cfg!(feature = X)` here must