Merge pull request #19 from agamm/add-license-compliance-agent

Add License Compliance Agent

Author: SagiMedina

agents/license-compliance/README.md

@@ -0,0 +1,127 @@
+# License Compliance Agent
+
+🔐 Automated license compliance checking for your codebase. Prevents license violations before merging code.
+
+## Features
+
+- **Multi-Language Support**: Python, Node.js, Rust, Ruby, Go, Java
+- **Smart Detection**: Finds dependencies in manifests, imports, and uv scripts
+- **Flexible Policies**: Configurable allowed/blocked license lists
+- **CI/CD Ready**: Works with GitHub Actions, GitLab CI, Jenkins, pre-commit
+
+## Quick Start
+
+```bash
+# Basic usage
+qodo --agent-file=qodo-agent.toml -y --set directory=./src
+
+# Custom policies  
+qodo --agent-file=qodo-agent.toml -y \
+  --set directory=./src \
+  --set allowed_licenses="MIT,Apache-2.0" \
+  --set blocked_licenses="GPL-3.0,AGPL-3.0"
+```
+
+## Configuration
+
+### Arguments
+
+| Argument | Type | Required | Default | Description |
+|----------|------|----------|---------|-------------|
+| `directory` | string | ✅ | - | Directory path to scan for dependencies |
+| `allowed_licenses` | string | ❌ | `MIT,BSD-2-Clause,BSD-3-Clause,Apache-2.0,ISC,Unlicense` | Comma-separated list of allowed licenses |
+| `blocked_licenses` | string | ❌ | `GPL-3.0,AGPL-3.0,SSPL-1.0` | Comma-separated list of blocked licenses |
+| `ignore_dev_dependencies` | boolean | ❌ | `true` | Skip checking development-only dependencies |
+
+## Test with Examples
+
+```bash
+qodo --agent-file=qodo-agent.toml -y --set directory=./examples/python
+```
+
+Expected: MIT license passes ✅, GPL license fails ❌
+
+## CI/CD Integration
+
+See complete examples in `examples/ci/`:
+- GitHub Actions: `github-actions.yml`
+- GitLab CI: `gitlab-ci.yml` 
+- Jenkins: `Jenkinsfile`
+- Pre-commit: `pre-commit-config.yaml`
+
+## Supported Package Managers
+
+| Language | Package Manager | Registry API | License Detection |
+|----------|----------------|--------------|-------------------|
+| Python | pip/uv | PyPI | ✅ Comprehensive |
+| Node.js | npm/yarn | npm Registry | ✅ Comprehensive |
+| Rust | cargo | crates.io | ✅ Comprehensive |
+| Ruby | gem | RubyGems | ✅ Comprehensive |
+| Go | go mod | pkg.go.dev | ⚠️ Limited |
+| Java | maven/gradle | Maven Central | ⚠️ Limited |
+
+## Troubleshooting
+
+### Common Issues
+
+**Issue**: `curl: command not found`
+```bash
+# Ubuntu/Debian
+sudo apt-get install curl
+
+# macOS
+brew install curl
+
+# Alpine
+apk add curl
+```
+
+**Issue**: `jq: command not found`
+```bash
+# Ubuntu/Debian
+sudo apt-get install jq
+
+# macOS
+brew install jq
+
+# Alpine
+apk add jq
+```
+
+**Issue**: Package not found in registry
+- Verify package name spelling
+- Check if package exists in the registry
+- Some packages may have different names in different registries
+
+**Issue**: License information unavailable
+- The agent will flag these for manual review
+- Check the package's GitHub repository for license information
+- Contact package maintainers if license is unclear
+
+### Debug Mode
+
+For verbose output, you can modify the agent to include debug information:
+
+```bash
+qodo chat qodo-agent.toml
+```
+
+Then ask: "Please scan ./src directory with verbose logging enabled"
+
+## Contributing
+
+1. Fork the repository
+2. Create a feature branch
+3. Make your changes
+4. Test with the provided examples
+5. Submit a pull request
+
+## License
+
+This project is licensed under the MIT License - see the LICENSE file for details.
+
+## Support
+
+- 📚 [Qodo Documentation](https://docs.qodo.ai/)
+- 💬 [Discord Community](https://discord.gg/qodo)
+- 🐛 [Report Issues](https://github.com/qodo-ai/agents/issues)

agents/license-compliance/agent.toml

@@ -0,0 +1,159 @@
+version = "1.0"
+
+[commands.license_compliance_check]
+description = "Analyze code changes and dependencies to ensure license compliance before merging code into projects."
+
+instructions = """
+You are a license compliance specialist responsible for ensuring all dependencies in a directory meet legal requirements.
+
+IMPORTANT: You are analyzing existing code, NOT writing new scripts. Manually review and check dependencies.
+
+Your workflow:
+
+1. DIRECTORY SCANNING PHASE
+   - List all files in the specified directory
+   - Identify Python files, package manifests (requirements.txt, pyproject.toml, setup.py), and other dependency files
+   - For Python files, scan for import statements and uv script dependencies (# dependencies = [...] sections)
+
+2. DEPENDENCY EXTRACTION PHASE
+   - Extract all dependencies from:
+     * Python import statements (import X, from X import Y)
+     * uv script dependency declarations in comments
+     * requirements.txt, setup.py, pyproject.toml files
+   - Create a comprehensive list of all dependencies found
+
+3. LICENSE RESEARCH PHASE
+   - For each dependency, use the appropriate package registry API + bash command + jq to extract the license:
+   
+   * Python (PyPI):
+     curl -s https://pypi.org/pypi/PACKAGE_NAME/json | jq -r '
+       .info.license                                  
+       //                                             
+       (.info.classifiers[]                           
+         | select(test("^License ::"))                
+         | sub("^License ::[[:space:]]*"; ""))'
+   
+   * Node.js (npm):
+     curl -s https://registry.npmjs.org/PACKAGE_NAME | jq -r '.license // .latest.license // .versions[.["dist-tags"].latest].license'
+   
+   * Rust (crates.io):
+     curl -s https://crates.io/api/v1/crates/PACKAGE_NAME | jq -r '.crate.license'
+   
+   * Ruby (RubyGems):
+     curl -s https://rubygems.org/api/v1/gems/PACKAGE_NAME.json | jq -r '.licenses[]?'
+   
+   * Go (pkg.go.dev):
+     curl -s "https://api.pkg.go.dev/v1/module/MODULE_NAME" | jq -r '.License // "License information not available"'
+   
+   * Java Maven:
+     curl -s "https://search.maven.org/solrsearch/select?q=g:GROUP_ID+AND+a:ARTIFACT_ID&core=gav&rows=1&wt=json" | jq -r '.response.docs[0] | .license // "License information not available"'
+   
+   - Build a comprehensive list of all licenses found
+   - If license information is not available via API, note it for manual review
+
+4. LICENSE COMPATIBILITY ASSESSMENT
+   - Compare each discovered license against the allowed/blocked license lists
+   - Apply standard license compatibility rules:
+     * Permissive licenses (MIT, BSD, Apache 2.0) - generally safe
+     * Weak copyleft (LGPL, MPL) - requires careful consideration
+     * Strong copyleft (GPL v2/v3) - may require project to be GPL
+     * Network copyleft (AGPL) - requires source disclosure for network services
+     * Proprietary/Commercial - requires explicit licensing agreement
+   - Flag any licenses that require legal review
+
+5. COMPLIANCE REPORTING PHASE
+   - Generate a detailed compliance report with:
+     * Summary of compliance status (PASS/FAIL/REVIEW_REQUIRED)
+     * List of all dependencies with their licenses
+     * Any license violations or concerns found
+     * Specific recommendations for resolving issues
+     * Alternative dependency suggestions for problematic licenses
+   - Provide clear guidance on compliance status
+
+Always prioritize conservative compliance - when in doubt, flag for legal review rather than risking violations.
+"""
+
+arguments = [
+    { name = "directory", type = "string", required = true, description = "Directory path to scan for dependencies and license compliance" },
+    { name = "allowed_licenses", type = "string", required = false, description = "Comma-separated list of explicitly allowed licenses", default = "MIT,BSD-2-Clause,BSD-3-Clause,Apache-2.0,ISC,Unlicense" },
+    { name = "blocked_licenses", type = "string", required = false, description = "Comma-separated list of blocked licenses that should never be allowed", default = "GPL-3.0,AGPL-3.0,SSPL-1.0" },
+    { name = "ignore_dev_dependencies", type = "boolean", required = false, description = "Skip license checking for development-only dependencies", default = true }
+]
+
+mcpServers = """{}"""
+
+tools = ["git", "filesystem", "shell"]
+
+execution_strategy = "act"
+
+output_schema = """
+{
+   "properties": {
+       "compliance_status": {
+           "description": "Overall compliance status",
+           "title": "Compliance Status",
+           "type": "string",
+           "enum": ["PASS", "FAIL", "REVIEW_REQUIRED"]
+       },
+       "new_dependencies": {
+           "description": "New dependencies introduced in this change",
+           "title": "New Dependencies",
+           "type": "array",
+           "items": {
+               "type": "object",
+               "properties": {
+                   "name": { "type": "string" },
+                   "license": { "type": "string" },
+                   "source": { "type": "string" },
+                   "status": { 
+                       "type": "string",
+                       "enum": ["allowed", "blocked", "review_required", "unknown"]
+                   }
+               },
+               "required": ["name", "license", "status"]
+           }
+       },
+       "license_violations": {
+           "description": "License compliance violations found",
+           "title": "License Violations",
+           "type": "array",
+           "items": {
+               "type": "object",
+               "properties": {
+                   "type": { 
+                       "type": "string",
+                       "enum": ["blocked_license", "missing_license", "incompatible_license", "missing_attribution", "copyleft_risk"]
+                   },
+                   "severity": { 
+                       "type": "string",
+                       "enum": ["high", "medium", "low"]
+                   },
+                   "description": { "type": "string" },
+                   "component": { "type": "string" },
+                   "recommendation": { "type": "string" }
+               },
+               "required": ["type", "severity", "description", "component"]
+           }
+       },
+       "recommendations": {
+           "description": "Specific recommendations for resolving issues",
+           "title": "Recommendations",
+           "type": "array",
+           "items": { "type": "string" }
+       },
+       "summary": {
+           "description": "Human-readable summary of the license compliance analysis",
+           "title": "Summary",
+           "type": "string"
+       },
+       "safe_to_merge": {
+           "description": "Whether the changes can be safely merged without license concerns",
+           "title": "Safe to Merge",
+           "type": "boolean"
+       }
+   },
+   "required": ["compliance_status", "new_dependencies", "license_violations", "summary", "safe_to_merge"]
+}
+"""
+
+exit_expression = "safe_to_merge"

agents/license-compliance/examples/ci/Jenkinsfile

@@ -0,0 +1,26 @@
+pipeline {
+    agent any
+    
+    stages {
+        stage('License Compliance') {
+            steps {
+                sh '''
+                    curl -fsSL https://install.qodo.ai | sh
+                    qodo --agent-file=qodo-agent.toml -y --set directory=./src
+                '''
+            }
+            post {
+                always {
+                    archiveArtifacts artifacts: 'license-report.json', allowEmptyArchive: true
+                }
+                failure {
+                    emailext (
+                        subject: "License Compliance Check Failed - ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
+                        body: "License compliance check failed. Please review the attached report.",
+                        to: "${env.CHANGE_AUTHOR_EMAIL}"
+                    )
+                }
+            }
+        }
+    }
+}

agents/license-compliance/examples/ci/docker-example.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Docker-based license compliance check
+# Usage: ./docker-example.sh /path/to/project
+
+PROJECT_DIR=${1:-$(pwd)}
+
+docker run --rm \
+  -v "$PROJECT_DIR:/workspace" \
+  -w /workspace \
+  ubuntu:latest \
+  bash -c "
+    apt-get update && apt-get install -y curl jq
+    curl -fsSL https://install.qodo.ai | sh
+    qodo --agent-file=qodo-agent.toml -y --set directory=./src
+  "

agents/license-compliance/examples/ci/github-actions.yml

@@ -0,0 +1,43 @@
+name: License Compliance Check
+
+on:
+  pull_request:
+    branches: [main, develop]
+  push:
+    branches: [main]
+
+jobs:
+  license-compliance:
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      
+    - name: Install dependencies
+      run: |
+        curl -fsSL https://install.qodo.ai | sh
+        sudo apt-get update && sudo apt-get install -y jq
+    
+    - name: Run License Compliance Check
+      run: |
+        qodo --agent-file=qodo-agent.toml -y --set directory=./src
+      
+    - name: Upload compliance report
+      if: always()
+      uses: actions/upload-artifact@v3
+      with:
+        name: license-compliance-report
+        path: license-report.json
+        
+    - name: Comment PR with results
+      if: github.event_name == 'pull_request' && failure()
+      uses: actions/github-script@v6
+      with:
+        script: |
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: '⚠️ License compliance check failed. Please review the license-compliance-report artifact for details.'
+          })

agents/license-compliance/examples/ci/gitlab-ci.yml

@@ -0,0 +1,15 @@
+license_compliance:
+  stage: test
+  image: ubuntu:latest
+  before_script:
+    - apt-get update && apt-get install -y curl jq
+    - curl -fsSL https://install.qodo.ai | sh
+  script:
+    - qodo --agent-file=qodo-agent.toml -y --set directory=./src
+  artifacts:
+    reports:
+      junit: license-report.xml
+    when: always
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH