FOLLOWUP-custom-qrcode-writer.md
Detailed checklist, acceptance criteria, and file-level scope are in the attached FOLLOWUP-custom-qrcode-writer.md.
Component
Feature Description
Replace the yeqown/go-qrcode/writer/standard PNG path (which pulls fogleman/gg → golang/freetype, reported as GPL-2.0-or-later) with a small custom implementation of qrcode.Writer that renders the QR matrix and optional center logo using only the Go standard library (image, image/draw, image/png, etc.).
After verifying the module graph and SBOM are clean, re-license synkronus-cli from GPL-2.0-or-later back to MIT and update synkronus-cli/LICENSE, synkronus-cli/README.md, and root THIRD_PARTY_NOTICES.md.
Problem Statement
Today, ** synk qr** builds PNGs via writer/standard, which links a GPL-classified dependency chain. To keep distribution and licensing posture simple (and aligned with the rest of the MIT monorepo), we temporarily marked synkronus-cli as GPL-2.0-or-later. That is a stopgap.
We want prebuilt CLI binaries (and the project’s default license story) to return to permissive terms without giving up PNG QR output or the FRMLS payload format Formulus expects.
Proposed Solution
- Keep
github.com/yeqown/go-qrcode/v2 for encoding/matrix generation or swap in another permissive QR library—either is acceptable if the final binary does not pull gg / freetype / writer/standard.
- Implement
qrcode.Writer (Write, Close) that writes a PNG file, draws modules from the matrix, and composites qr_logo.png (centered), matching current behavior closely enough for scanning.
- Consider
embed for qr_logo.png so go install / released binaries don’t depend on CWD for the logo.
- Run
go mod tidy, regenerate synkronus-cli.cdx.json (node scripts/sbom/generate-sboms.mjs), and confirm no GPL identifiers for this dependency chain.
- Switch
synkronus-cli to MIT (license file + docs) once the above is verified.
Alternatives Considered
- Stay on GPL for the CLI indefinitely — accurate for the current stack, but conflicts with wanting MIT-first monorepo messaging and simpler redistribution expectations.
- Swap to another QR library entirely (e.g. classic PNG encoders) — valid; slightly more refactor than a custom
Writer but same outcome.
- Non-PNG output (e.g. terminal-only QR) — not a full substitute for “save PNG for Formulus” workflows.
- Different QR writer from yeqown — e.g.
writer/file is text/Unicode, not PNG; not a drop-in replacement.
Additional Context
- Entry point:
synkronus-cli/internal/cmd/qr.go (standard.New, standard.WithLogoImageFilePNG("qr_logo.png")).
- SBOM: release / local
sbom-dist/synkronus-cli.cdx.json (see repo script scripts/sbom/generate-sboms.mjs).
FOLLOWUP-custom-qrcode-writer.md
Component
Feature Description
Replace the
yeqown/go-qrcode/writer/standardPNG path (which pullsfogleman/gg→golang/freetype, reported as GPL-2.0-or-later) with a small custom implementation ofqrcode.Writerthat renders the QR matrix and optional center logo using only the Go standard library (image,image/draw,image/png, etc.).After verifying the module graph and SBOM are clean, re-license
synkronus-clifrom GPL-2.0-or-later back to MIT and updatesynkronus-cli/LICENSE,synkronus-cli/README.md, and rootTHIRD_PARTY_NOTICES.md.Problem Statement
Today, **
synk qr** builds PNGs viawriter/standard, which links a GPL-classified dependency chain. To keep distribution and licensing posture simple (and aligned with the rest of the MIT monorepo), we temporarily markedsynkronus-clias GPL-2.0-or-later. That is a stopgap.We want prebuilt CLI binaries (and the project’s default license story) to return to permissive terms without giving up PNG QR output or the FRMLS payload format Formulus expects.
Proposed Solution
github.com/yeqown/go-qrcode/v2for encoding/matrix generation or swap in another permissive QR library—either is acceptable if the final binary does not pullgg/freetype/writer/standard.qrcode.Writer(Write,Close) that writes a PNG file, draws modules from the matrix, and compositesqr_logo.png(centered), matching current behavior closely enough for scanning.embedforqr_logo.pngsogo install/ released binaries don’t depend on CWD for the logo.go mod tidy, regeneratesynkronus-cli.cdx.json(node scripts/sbom/generate-sboms.mjs), and confirm no GPL identifiers for this dependency chain.synkronus-clito MIT (license file + docs) once the above is verified.Alternatives Considered
Writerbut same outcome.writer/fileis text/Unicode, not PNG; not a drop-in replacement.Additional Context
synkronus-cli/internal/cmd/qr.go(standard.New,standard.WithLogoImageFilePNG("qr_logo.png")).sbom-dist/synkronus-cli.cdx.json(see repo scriptscripts/sbom/generate-sboms.mjs).