tests fixes and sprints work

docs/modules/policy/architecture.md

@@ -17,6 +17,7 @@ The service operates strictly downstream of the **Aggregation-Only Contract (AOC
 
 - Compile and evaluate `stella-dsl@1` policy packs into deterministic verdicts.
 - Join SBOM inventory, Concelier advisories, and Excititor VEX evidence via canonical linksets and equivalence tables.
+- Evaluate SBOM license expressions against policy (SPDX AND/OR/WITH/+), emitting compliance findings and attribution requirements for gate decisions.
 - Materialise effective findings (`effective_finding_{policyId}`) with append-only history and produce explain traces.
 - Emit CVSS v4.0 receipts with canonical hashing and policy replay/backfill rules; store tenant-scoped receipts with RBAC; export receipts deterministically (UTC/fonts/order) and flag v3.1→v4.0 conversions (see Sprint 0190 CVSS-GAPS-190-014 / `docs/modules/policy/cvss-v4.md`).
 - Emit per-finding OpenVEX decisions anchored to reachability evidence, forward them to Signer/Attestor for DSSE/Rekor, and publish the resulting artifacts for bench/verification consumers.
@@ -171,9 +172,52 @@ The Determinization subsystem calculates uncertainty scores based on signal comp
 **Usage in policies:**
 
 Determinization scores are exposed to SPL policies via the `signals.trust.*` and `signals.uncertainty.*` namespaces. Use `signals.uncertainty.entropy` to access entropy values and `signals.trust.score` for aggregated trust scores that combine VEX, reachability, runtime, and other signals with decay/weighting.
+
+### 3.2 - License compliance configuration
+
+License compliance evaluation runs during SBOM evaluation when enabled in
+`licenseCompliance` settings.
+
+```json
+{
+  "licenseCompliance": {
+    "enabled": true,
+    "policyPath": "policies/license-policy.yaml"
+  }
+}
+```
+
+- `sbom.license` exposes the compliance report (findings, conflicts, inventory).
+- `sbom.license_status` exposes `pass`, `warn`, or `fail` (or `unknown` when disabled).
+- Failures set the policy verdict status to `blocked` and emit `license.*` annotations.
+- Trademark notice obligations are tracked alongside attribution requirements and produce warn-level findings.
+- License compliance reports support JSON, text/markdown/html, legal-review, and PDF outputs.
+- Category breakdown includes percent totals and chart renderings (ASCII chart in text/markdown/legal-review/PDF, pie chart in HTML).
 ---
 
-## 4 · Data Model & Persistence
+### 3.3 - NTIA compliance configuration
+
+NTIA minimum-elements validation runs when enabled under `ntiaCompliance`.
+
+```json
+{
+  "ntiaCompliance": {
+    "enabled": true,
+    "enforceGate": false,
+    "policyPath": "policies/ntia-policy.yaml"
+  }
+}
+```
+
+- `sbom.ntia` exposes NTIA compliance details (elements, findings, supplier status).
+- `sbom.ntia_status` exposes `pass`, `warn`, `fail`, or `unknown`.
+- NTIA compliance can be configured as an advisory-only check or a release gate via `enforceGate`.
+- The NTIA policy supports element selection, supplier validation (placeholder patterns, trusted/blocked lists), and framework-specific requirements.
+- Reports support JSON, text/markdown/html, and PDF output for regulatory submissions.
+
+---
+
+## 4 · Data Model & Persistence
 
 ### 4.1 Collections