A framework for deciding how much legal ambiguity you can stomach.
PHALUS produces code with an audit trail. Whether that audit trail constitutes a legal defense depends on factors this tool cannot evaluate for you. Here's what you should consider.
Simple functions like left-pad, is-odd, or type-checking utilities may lack sufficient creative expression to be copyrightable. Reimplementation is likely defensible regardless of method.
The original is already permissively licensed. Reimplementation removes attribution requirements but the license was designed to be easy to comply with. The question is why you're avoiding it.
These licenses exist specifically to prevent what you're doing. Clean room reimplementation is a legal end-run around their intent. The audit trail helps, but intent matters in court.
The more creative expression in the original, the harder it is to argue independent creation. LLM training data contamination makes this worse. A 10,000-line library has more surface area for accidental copying than a 10-line utility.
Every AI clean room argument has the same weakness: the model may have seen the original source during training. If GPT-4 or Claude was trained on the npm registry, its "independent" reimplementation may carry fingerprints from the original. No amount of process isolation at inference time can undo training-time exposure.
PHALUS mitigates this with similarity scoring, but a low similarity score doesn't prove the absence of influence — it only proves the output doesn't look obviously copied.
Cross-language reimplementation. Use --target-lang rust to reimplement a JavaScript library in Rust. The structural divergence from a language change makes accidental similarity nearly impossible.
Similarity thresholds. Set --similarity-threshold 0.30 to flag anything that looks too close to the original. Review flagged output manually.
Human review. For high-risk packages (AGPL, large codebases), review the output manually before using it. The audit trail is evidence of process, not a guarantee of legality.
Multiple passes. Generate several implementations and select the most divergent. Different runs produce different code — pick the one least likely to resemble the original.
Clean room methodology has the strongest legal precedent in United States law. Other jurisdictions may not recognize it, may define "independent creation" differently, or may have moral rights provisions that can't be contracted around.
If you operate in the EU, be aware of the Software Directive and its provisions around interoperability. If you operate in multiple jurisdictions, apply the strictest standard.
This tool generates code and produces an audit trail. It does not generate legal opinions. The audit trail proves what happened during the process. It does not prove the output is non-infringing.
If you wouldn't be comfortable explaining your use of this tool in a deposition, don't use it.
That's not a legal standard. It's a practical one. The legal standard is whatever a judge decides it is.