feat: license file scanning (source code + SPDX detection)

## Context

Current license detection is registry-only (PyPI/npm metadata). Trivy scans source files for license headers and SPDX identifiers. We should add this capability.

## Scope

- [ ] Scan LICENSE, LICENSE.md, COPYING files for SPDX identifiers
- [ ] Detect license headers in source files (top-of-file patterns)
- [ ] SPDX expression matching and validation
- [ ] Copyleft vs permissive classification
- [ ] Integrate with existing `license_compliance_scan` MCP tool

## Current state
- Registry license enrichment works (PyPI/npm/Maven/RubyGems)
- `license_compliance_scan` MCP tool exists
- CycloneDX/SPDX export includes license fields

## References
- `src/agent_bom/resolver.py` — registry license fetch
- `src/agent_bom/license_policy.py` — policy engine

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: license file scanning (source code + SPDX detection) #872

Context

Scope

Current state

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

feat: license file scanning (source code + SPDX detection) #872

Description

Context

Scope

Current state

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions