Metadata-Version: 2.4
Name: ospac
Version: 1.2.1
Summary: Open Source Policy as Code - License compliance policy engine
Author-email: "Oscar Valenzuela B." <oscar.valenzuela.b@gmail.com>
Maintainer-email: "Oscar Valenzuela B." <oscar.valenzuela.b@gmail.com>
License-Expression: Apache-2.0
Project-URL: Homepage, https://github.com/SemClone/osslili
Project-URL: Documentation, https://github.com/SemClone/osslili#readme
Project-URL: Repository, https://github.com/SemClone/osslili.git
Project-URL: Issues, https://github.com/SemClone/osslili/issues
Project-URL: Changelog, https://github.com/SemClone/osslili/blob/main/CHANGELOG.md
Keywords: license,compliance,policy,policy-as-code,oss,open-source,spdx,license-compatibility,regulatory-compliance,sbom
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Legal Industry
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Software Development :: Documentation
Classifier: Topic :: System :: Software Distribution
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Operating System :: OS Independent
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
License-File: AUTHORS.md
Requires-Dist: pyyaml>=6.0
Requires-Dist: click>=8.0.0
Requires-Dist: jsonschema>=4.17.0
Requires-Dist: jinja2>=3.0.0
Requires-Dist: colorama>=0.4.0
Requires-Dist: requests>=2.28.0
Requires-Dist: urllib3<2.0,>=1.26.0; python_version < "3.10"
Requires-Dist: urllib3>=1.26.0; python_version >= "3.10"
Provides-Extra: dev
Requires-Dist: pytest>=7.0.0; extra == "dev"
Requires-Dist: pytest-cov>=4.0.0; extra == "dev"
Requires-Dist: pytest-asyncio>=0.21.0; extra == "dev"
Requires-Dist: black>=23.0.0; extra == "dev"
Requires-Dist: flake8>=6.0.0; extra == "dev"
Requires-Dist: mypy>=1.0.0; extra == "dev"
Requires-Dist: isort>=5.12.0; extra == "dev"
Requires-Dist: pre-commit>=3.0.0; extra == "dev"
Provides-Extra: test
Requires-Dist: pytest>=7.0.0; extra == "test"
Requires-Dist: pytest-cov>=4.0.0; extra == "test"
Requires-Dist: pytest-asyncio>=0.21.0; extra == "test"
Provides-Extra: semcl
Requires-Dist: osslili>=1.5.0; extra == "semcl"
Requires-Dist: upmex>=1.6.0; extra == "semcl"
Provides-Extra: llm
Requires-Dist: strandsagents>=0.1.0; extra == "llm"
Provides-Extra: all
Requires-Dist: ospac[llm,semcl]; extra == "all"
Dynamic: license-file

# OSPAC - Open Source Policy as Code

[![Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Python 3.8+](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/)
[![Version](https://img.shields.io/badge/version-1.2.0-green.svg)](https://github.com/SemClone/ospac/releases)

OSPAC (Open Source Policy as Code) is a comprehensive policy engine for automated OSS license compliance. It provides a declarative, data-driven approach where all compliance logic, rules, and decisions are defined in versionable policy files rather than hardcoded in application logic.

**What's New in v1.2.0:**
- **JSON-First Architecture** - Migrated from YAML to JSON for 50% faster parsing and better MCP integration
- **Complete SPDX Coverage** - All 712 SPDX licenses with comprehensive metadata included out-of-the-box
- **Reduced Package Size** - Dataset optimized from 5.6MB to 2.8MB (50% reduction) while maintaining complete functionality
- **Enhanced Policy Evaluation** - Complete obligation tracking with remediation data and requirements for all license types
- **Build Target Templates** - Dedicated policy templates for mobile, desktop, web, server, embedded, and library projects
- **100% Test Coverage** - Comprehensive validation across all datasets, CLI commands, and library API
- **Improved Compatibility Checking** - Fixed critical issues like GPL-2.0 + Apache-2.0 incompatibility detection
- **MCP Ready** - Optimized JSON output for seamless integration with Model Context Protocol systems

## Key Features

- **Policy as Code** - All compliance logic is defined in YAML/JSON policy files
- **JSON Dataset** - High-performance JSON format with schema validation (v1.2.0)
- **SPDX Integration** - Complete support for 712 SPDX license identifiers
- **Compatibility Engine** - Complex license compatibility evaluation with detailed matrices
- **Obligation Tracking** - Automated compliance checklist generation with comprehensive requirements
- **MCP Integration** - Optimized for Model Context Protocol and external system integration
- **Build Target Policies** - Dedicated templates for mobile, desktop, web, server, embedded, and library projects
- **CLI & API** - Both command-line and programmatic interfaces with JSON-first output

## Core Philosophy

Everything in OSPAC is policy-defined, not code-defined:

- **No hardcoded business logic** - All rules are data-driven
- **Versionable** - Policies in Git, reviewable via PR
- **Testable** - Unit test your policies
- **Composable** - Build complex policies from simple rules
- **Auditable** - Clear lineage of decisions

## Installation

```bash
# Latest stable release (v1.2.0)
pip install ospac

# With SEMCL.ONE integration
pip install "ospac[semcl]"

# With LLM analysis capabilities
pip install "ospac[llm]"

# Full installation with all features
pip install "ospac[all]"
```

## How It Works

OSPAC v1.2.0 includes a pre-built JSON dataset with instant functionality:

1. **Ready-to-Use Dataset** - 712 SPDX licenses in optimized JSON format (included with installation)
2. **Runtime Engine** - Evaluates licenses against policies using comprehensive metadata
3. **Optional Data Pipeline** - Advanced users can regenerate data with custom analysis

### Pre-Built Dataset (v1.2.0)

**No setup required!** OSPAC ships with:
- 712 complete SPDX license definitions in JSON format
- Comprehensive compatibility matrices for static/dynamic linking
- Complete obligation tracking with license-specific requirements
- Structured contamination effects and compatibility notes
- Schema-validated data integrity

### Advanced Data Generation (Optional)

For custom analysis, OSPAC includes a pipeline that:
- Downloads the latest SPDX license dataset
- Optionally uses LLM (Ollama + llama3) for enhanced analysis via StrandsAgents SDK
- Generates comprehensive policy files with custom requirements

## Quick Start

### Instant Usage (No Setup Required)

With v1.2.0, OSPAC works immediately after installation:

```bash
# Get comprehensive license obligations
ospac obligations -l "GPL-3.0,MIT" -f json

# Check license compatibility
ospac check "GPL-2.0" "Apache-2.0"  # Correctly identifies as incompatible

# Evaluate licenses for mobile distribution
ospac evaluate -l "GPL-3.0" -d mobile  # Correctly denies GPL for mobile apps

# Create mobile-specific policy
ospac policy init --template mobile --output mobile_policy.yaml
```

## Command Examples

### Policy Evaluation

```bash
# Evaluate licenses against policies (JSON output by default)
ospac evaluate -l "GPL-3.0,MIT" -d commercial

# Check license compatibility
ospac check GPL-3.0 MIT -c static_linking

# Get license obligations with complete metadata
ospac obligations -l "Apache-2.0,MIT" -f json

# Create policies for specific build targets
ospac policy init --template mobile --output mobile_policy.yaml
ospac policy init --template desktop --output desktop_policy.yaml

# Validate policy syntax
ospac policy validate ./my_policy.yaml

# Evaluate for specific distribution types
ospac evaluate -l "GPL-3.0" -d mobile    # Correctly denies GPL for mobile
ospac evaluate -l "MIT" -d embedded      # Allows permissive licenses
```

### Python API

```python
from ospac import PolicyRuntime

# Initialize runtime (uses default enterprise policy with v1.2.0)
runtime = PolicyRuntime()

# Or with custom policies
runtime = PolicyRuntime.from_path("policies/")

# Evaluate licenses with comprehensive results
result = runtime.evaluate({
    "licenses_found": ["GPL-3.0", "MIT"],
    "context": "static_linking",
    "distribution": "commercial"
})
# Returns: action, severity, message, requirements, remediation, obligations

# Check compatibility between licenses
compat = runtime.check_compatibility("GPL-2.0", "Apache-2.0")  # Returns False

# Get complete obligations with license metadata
obligations = runtime.get_obligations(["Apache-2.0", "MIT"])
# Returns: full license data with properties, requirements, limitations
```

### Data Commands (Advanced Usage)

**Note:** v1.2.0 includes a complete pre-built dataset. Data generation is only needed for custom analysis.

```bash
# Show license information (works out of the box)
ospac data show MIT
ospac data show GPL-3.0

# Optional: Regenerate data with latest SPDX
ospac data download-spdx
ospac data generate --output-dir ./data

# Advanced: Generate with LLM analysis (requires Ollama with llama3)
ospac data generate --use-llm --output-dir ./data

# Validate data integrity
ospac data validate --data-dir ./data
```

## Policy Files

OSPAC uses declarative policy files to define all compliance logic:

### License Definition (v1.2.0 JSON Format)

```json
{
  "license": {
    "id": "MIT",
    "name": "MIT",
    "type": "permissive",
    "spdx_id": "MIT",

    "properties": {
      "commercial_use": true,
      "distribution": true,
      "modification": true,
      "patent_grant": false,
      "private_use": true
    },

    "requirements": {
      "include_license": true,
      "include_copyright": true,
      "disclose_source": false,
      "same_license": false,
      "state_changes": false
    },

    "limitations": {
      "liability": false,
      "warranty": false,
      "trademark_use": false
    },

    "obligations": [
      "Include the copyright notice and permission notice in all copies or substantial portions of the Software."
    ],

    "compatibility": {
      "static_linking": {
        "compatible_with": ["Apache-2.0", "BSD-3-Clause", "GPL-3.0"],
        "incompatible_with": [],
        "requires_review": []
      }
    }
  }
}
```

### Organizational Policy

```yaml
# policies/organizations/my_company.yaml
version: "1.0"

rules:
  - id: no_copyleft
    when:
      license_type: copyleft_strong
    then:
      action: deny
      message: "Strong copyleft licenses not allowed"
```

## Integration with SEMCL.ONE

OSPAC integrates seamlessly with the SEMCL.ONE ecosystem:

```python
# Use with osslili for license detection
from osslili import scan_directory
from ospac import PolicyRuntime

# Detect licenses
licenses = scan_directory("/path/to/project")

# Validate against policy
runtime = PolicyRuntime.from_path("policies/")
result = runtime.evaluate({"licenses_found": licenses})
```

## Project Structure

```
ospac/
├── runtime/           # Policy execution engine
├── data/             # Pre-built JSON dataset (v1.2.0)
│   └── licenses/
│       └── json/     # 712 SPDX licenses in JSON format
├── defaults/         # Default enterprise policy
├── schemas/          # JSON schema validation
├── models/           # Data models
├── cli/              # CLI interface
└── pipeline/         # Data generation (optional)
```

## Contributing

We welcome contributions! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details.

## Support

For support, please:
- Check the [documentation](https://github.com/SemClone/ospac)
- File an issue on [GitHub](https://github.com/SemClone/ospac/issues)
- See [SUPPORT.md](SUPPORT.md) for more options

## License

This project uses dual licensing:

- **Software Code**: Apache-2.0 - See [LICENSE](LICENSE) for details
- **License Database**: CC BY-NC-SA 4.0 - See [DATA_LICENSE](DATA_LICENSE) for details

### Software License (Apache-2.0)

All source code in this repository (Python files, scripts, configuration) is licensed under the Apache License, Version 2.0. This allows for commercial use, modification, and distribution of the software.

### Dataset License (CC BY-NC-SA 4.0)

The OSPAC license database located in `ospac/data/` is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. This means:

- **Non-Commercial Use Only**: The dataset cannot be used for commercial purposes
- **Attribution Required**: You must give appropriate credit when using the dataset
- **Share-Alike**: Any derivatives must be shared under the same CC BY-NC-SA 4.0 license

For academic research, open-source projects, or internal non-commercial use, you are free to use the dataset according to the CC BY-NC-SA 4.0 terms.

## Authors

See [AUTHORS.md](AUTHORS.md) for a list of contributors.

## Acknowledgments

- SPDX Project for license standardization
- SEMCL.ONE ecosystem for integration capabilities
- Open Chain Project for compliance best practices

