# License Compliance Evaluation Engine ## Module Policy ## Status IMPLEMENTED ## Description Full license compliance evaluation with SPDX expression parsing, license compatibility matrix checking against configurable allow/deny/copyleft lists, attribution report generation, and policy engine integration. While the known list has SPDX license expression parsers in the Attestor writers, this is a distinct policy-engine-integrated compliance evaluator with attribution generation capabilities. ## Implementation Details - **LicenseComplianceEvaluator**: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseComplianceEvaluator.cs` (sealed class implements `ILicenseComplianceEvaluator`) - `EvaluateAsync(components, policy)` evaluates license compliance for all components - SPDX expression parsing via `SpdxLicenseExpressionParser.Parse()` - License expression evaluation via `LicenseExpressionEvaluator` with compatibility checking - Exemption support: per-component pattern-based license exemptions - Obligation tracking: Attribution, SourceDisclosure, PatentGrant, TrademarkNotice - Overall status: Pass (no issues), Warn (missing/unknown licenses, obligations), Fail (prohibited, copyleft conflict, commercial restriction) - **LicenseComplianceReport**: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseComplianceModels.cs` - Inventory: LicenseUsage records with LicenseId, Expression, Category, Components list, Count; ByCategory counts; UnknownLicenseCount; NoLicenseCount - Findings: LicenseFinding records with Type, LicenseId, ComponentName, ComponentPurl, Category, Message - Conflicts: LicenseConflict records with conflicting LicenseIds and Reason - AttributionRequirements: ComponentName, LicenseId, Notices, IncludeLicenseText flag - **LicenseFindingType enum**: ProhibitedLicense, CopyleftInProprietaryContext, LicenseConflict, UnknownLicense, MissingLicense, AttributionRequired, SourceDisclosureRequired, PatentClauseRisk, CommercialRestriction, ConditionalLicenseViolation - **LicenseCategory enum**: Unknown, Permissive, WeakCopyleft, StrongCopyleft, Proprietary, PublicDomain - **Supporting classes**: - `LicenseKnowledgeBase`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseKnowledgeBase.cs` -- license metadata database - `LicenseCompatibilityChecker`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseCompatibilityChecker.cs` -- compatibility matrix - `LicenseExpressionEvaluator`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicenseExpressionEvaluator.cs` -- evaluates parsed expressions - `ProjectContextAnalyzer`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/ProjectContextAnalyzer.cs` -- project context for compatibility - `LicensePolicy` / `LicensePolicyLoader`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/LicensePolicy.cs` / `LicensePolicyLoader.cs` -- policy configuration - `AttributionGenerator`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/AttributionGenerator.cs` -- NOTICE file generation - `SpdxLicenseExpressionParser`: `src/Policy/__Libraries/StellaOps.Policy/Licensing/SpdxLicenseExpressionParser.cs` -- SPDX expression parsing ## E2E Test Plan - [ ] Evaluate component with "MIT" license; verify OverallStatus=Pass, Category=Permissive - [ ] Evaluate component with "GPL-3.0-only" in proprietary context; verify finding type CopyleftInProprietaryContext, OverallStatus=Fail - [ ] Evaluate component with prohibited license (in deny list); verify finding type ProhibitedLicense, OverallStatus=Fail - [ ] Evaluate component with no license data; verify finding type MissingLicense, OverallStatus=Warn - [ ] Evaluate component with unparseable license expression; verify finding type UnknownLicense - [ ] Evaluate component with "Apache-2.0 OR MIT" dual license; verify parser resolves expression, one license selected - [ ] Evaluate 3 components: MIT, GPL-3.0, Apache-2.0; verify Inventory contains all 3 with correct categories and ByCategory counts - [ ] Evaluate with license requiring attribution; verify AttributionRequirements populated with ComponentName and Notices - [ ] Configure exemption for component pattern "internal-*" allowing GPL-3.0; verify ProhibitedLicense finding suppressed - [ ] Evaluate with UnknownLicenseHandling=Deny in policy; verify unknown licenses produce OverallStatus=Fail - [ ] Evaluate component with conflicting dual licenses; verify LicenseConflict finding with reason