feat: CNCF license policy as default, exception handling improvements (#10)

* Add CI Jobs for labeler and releases / pre releases

* feat: CNCF license policy as default, exception handling improvements, deployment examples

- Set CNCF Allowed Third-Party License Policy as default (18 permissive, 21 copyleft)
- Promote "All CNCF Projects" exceptions to blanket exceptions automatically
- Split compound license expressions (OR, AND, comma-separated) into individual SPDX IDs
- Add substring matching for CNCF-style short package names in exception lookup
- Parsing worker: fallback to PVC path for license exceptions loading
- Add examples/ directory with Kind and Kubernetes deployment configs
- Production example uses seed job instead of git-sync (git-sync fails for large repos)
- Document all 3 SBOM ingestion methods (seed job, git-sync, manual PVC)
- Add Makefile targets: kind-build, kind-deploy, kind-reingest
- Add License Policy section to README with customisation instructions
- Bump version to 0.1.2 across Helm chart, values, examples, and docs
- Add 8 new tests for CNCF exception handling (87+ total)

* feat: CNCF license policy as default, exception handling improvements, deployment examples

- Set CNCF Allowed Third-Party License Policy as default (18 permissive, 21 copyleft)
- Promote "All CNCF Projects" exceptions to blanket exceptions automatically
- Split compound license expressions (OR, AND, comma-separated) into individual SPDX IDs
- Add substring matching for CNCF-style short package names in exception lookup
- Parsing worker: fallback to PVC path for license exceptions loading
- Add examples/ directory with Kind and Kubernetes deployment configs
- Production example uses seed job instead of git-sync (git-sync fails for large repos)
- Document all 3 SBOM ingestion methods (seed job, git-sync, manual PVC)
- Add Makefile targets: kind-build, kind-deploy, kind-reingest
- Add License Policy section to README with customisation instructions
- Bump version to 0.1.2 across Helm chart, values, examples, and docs
- Add 8 new tests for CNCF exception handling (87+ total)

Author: mfahlandt

.github/workflows/labeler.yml

@@ -1,7 +1,7 @@
 name: Auto-Label PRs
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
 
 permissions:

.gitignore

@@ -8,6 +8,12 @@
 *.so
 *.dylib
 
+# Compiled Go binaries (built by `go build`)
+backend/api-gateway
+backend/parsing-worker
+backend/ingestion-watcher
+backend/cve-refresher
+
 # Test binary, built with `go test -c`
 *.test
 
@@ -27,6 +33,9 @@ go.work.sum
 # env file
 .env
 
+# Local kind deployment (secrets, overrides)
+local/
+
 # Editor/IDE
 # .idea/
 # .vscode/

Makefile

@@ -5,6 +5,7 @@
 .PHONY: ingest worker api
 .PHONY: images images-push
 .PHONY: sync-labels
+.PHONY: kind-up kind-down kind-reingest kind-build kind-deploy
 
 SHELL := /bin/bash
 REGISTRY ?= ghcr.io
@@ -160,3 +161,41 @@ images-push: images ## Build and push all images to GHCR (TAG=dev)
 # ─── GitHub ──────────────────────────────────────────────────────────────────
 sync-labels: ## Sync GitHub labels from .github/labels.yml (requires gh + yq)
 	.github/scripts/sync-labels.sh
+
+# ─── Kind (local Kubernetes) ─────────────────────────────────────────────────
+kind-up: ## Deploy SeeBOM to a local Kind cluster (see local/secrets.env)
+	./local/setup.sh
+
+kind-down: ## Destroy the local Kind cluster
+	./local/teardown.sh
+
+kind-reingest: ## Re-ingest all SBOMs in Kind (no re-download, truncates data + re-queues)
+	@echo "🗑️  Truncating data tables..."
+	@source local/secrets.env 2>/dev/null; \
+	kubectl exec -n seebom chi-seebom-clickhouse-seebom-cluster-0-0-0 -c clickhouse -- \
+		clickhouse-client --database=seebom --password="$${CLICKHOUSE_PASSWORD:-seebom}" --multiquery \
+		--query "TRUNCATE TABLE ingestion_queue; TRUNCATE TABLE license_compliance; TRUNCATE TABLE vulnerabilities; TRUNCATE TABLE sbom_packages; TRUNCATE TABLE sboms; TRUNCATE TABLE vex_statements;"
+	@echo "♻️  Triggering ingestion watcher..."
+	@kubectl create job --from=cronjob/seebom-ingestion-watcher seebom-reingest-$$(date +%s) -n seebom
+	@echo "✅ Re-ingest started. Workers will re-process all SBOMs from the PVC."
+	@echo "   Monitor: curl -s http://localhost:8080/api/v1/stats/dashboard | jq .total_sboms"
+
+kind-build: images ## Build dev images and load them into the Kind cluster
+	@echo "📦 Loading images into Kind cluster..."
+	kind load docker-image $(REGISTRY)/$(REPO)/ingestion-watcher:$(TAG) --name seebom
+	kind load docker-image $(REGISTRY)/$(REPO)/parsing-worker:$(TAG)    --name seebom
+	kind load docker-image $(REGISTRY)/$(REPO)/api-gateway:$(TAG)       --name seebom
+	kind load docker-image $(REGISTRY)/$(REPO)/cve-refresher:$(TAG)     --name seebom
+	kind load docker-image $(REGISTRY)/$(REPO)/ui:$(TAG)                --name seebom
+	@echo "✅ Loaded 5 images into Kind (tag: $(TAG))"
+
+kind-deploy: kind-build ## Build images, load into Kind, and upgrade Helm release
+	@source local/secrets.env 2>/dev/null; \
+	helm upgrade seebom deploy/helm/seebom/ \
+		-n seebom \
+		-f local/values-local.yaml \
+		--set clickhouse.password="$${CLICKHOUSE_PASSWORD:-seebom}" \
+		--set github.token="$${GITHUB_TOKEN:-}"
+	@kubectl rollout restart deployment/seebom-api-gateway deployment/seebom-parsing-worker -n seebom
+	@echo "✅ Deployed. Pods restarting with new images."
+

README.md

@@ -130,7 +130,24 @@ docker compose up -d --force-recreate api-gateway parsing-worker
 
 See [docs/DEPLOYMENT_GUIDE.md](docs/DEPLOYMENT_GUIDE.md) for Kubernetes deployment instructions.
 
-### Option B: Local Development (Hot Reload)
+### Option B: Local Kubernetes (Kind)
+
+Deploy the full stack to a local [Kind](https://kind.sigs.k8s.io/) cluster, including ClickHouse Operator, CNCF SBOM ingestion, and the Angular UI:
+
+```bash
+# 1. Copy secrets template and fill in your values
+cp examples/kind/secrets.env.example local/secrets.env
+vi local/secrets.env
+
+# 2. Deploy
+make kind-up
+
+# UI: http://localhost:8090   API: http://localhost:8080/healthz
+```
+
+See [`examples/`](examples/) for Kind and production Kubernetes deployment configs.
+
+### Option C: Local Development (Hot Reload)
 
 Use this when you want to iterate on code quickly:
 
@@ -218,18 +235,28 @@ See [docs/TESTING.md](docs/TESTING.md) for writing and running tests.
 
 | Command | Description |
 |---------|-------------|
+| **Docker Compose** | |
 | `make dev` | Start full stack via Docker Compose |
 | `make dev-down` | Stop all containers |
 | `make dev-restart` | Restart with new `.env` values (keeps data) |
 | `make dev-logs` | Follow all container logs |
 | `make dev-reset` | Destroy data volumes and restart fresh |
+| `make dev-status` | Show container status and ingestion progress |
 | `make re-ingest` | Re-trigger the Ingestion Watcher (scans for new files) |
 | `make re-scan` | Wipe all data and re-process everything (e.g. after enabling OSV) |
 | `make cve-refresh` | Check all known PURLs for new CVEs (without re-scanning SBOMs) |
 | `make migrate` | Run all pending database migrations |
+| **Kind (Local Kubernetes)** | |
+| `make kind-up` | Create Kind cluster and deploy SeeBOM via Helm |
+| `make kind-down` | Destroy the Kind cluster |
+| `make kind-build` | Build all container images and load them into Kind |
+| `make kind-deploy` | Build images, Helm upgrade, and restart pods |
+| `make kind-reingest` | Re-ingest all SBOMs (truncate data, re-queue, no re-download) |
+| **ClickHouse** | |
 | `make ch-only` | Start only ClickHouse (for local dev) |
 | `make ch-migrate` | Run SQL migrations against ClickHouse |
 | `make ch-shell` | Open ClickHouse CLI |
+| **Local Dev** | |
 | `make api` | Run API Gateway locally |
 | `make ingest` | Run Ingestion Watcher locally |
 | `make worker` | Run Parsing Worker locally |
@@ -238,6 +265,9 @@ See [docs/TESTING.md](docs/TESTING.md) for writing and running tests.
 | `make backend-test` | Run all Go tests |
 | `make backend-vet` | Run go vet + go fmt |
 | `make ui-build` | Build Angular for production |
+| **Images** | |
+| `make images` | Build all 5 container images locally (TAG=dev) |
+| `make images-push` | Build and push all images to GHCR |
 
 ---
 
@@ -288,6 +318,41 @@ make dev-reset
 
 ---
 
+## License Policy
+
+By default, SeeBOM enforces the [CNCF Allowed Third-Party License Policy](https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md):
+
+- **Permissive (allowed):** Apache-2.0, MIT, MIT-0, 0BSD, BSD-2-Clause, BSD-3-Clause, ISC, PSF-2.0, Python-2.0, PostgreSQL, UPL-1.0, X11, Zlib, OpenSSL, and a few more (18 total)
+- **Copyleft (flagged):** GPL, LGPL, AGPL, MPL-2.0, EPL, EUPL, CPAL, and others (21 total)
+- **Unknown:** Any license not in either list is flagged for review
+
+### CNCF Exception List
+
+The [CNCF license exceptions](https://github.com/cncf/foundation/blob/main/license-exceptions/exceptions.json) are automatically downloaded and applied. Packages covered by a CNCF Governing Board exception are marked as exempted rather than non-compliant.
+
+Exceptions with `"project": "All CNCF Projects"` are treated as blanket exceptions (apply to every SBOM).
+
+### Customising the Policy
+
+Override the default policy via Helm values:
+
+```yaml
+licensePolicy:
+  custom: |
+    {
+      "permissive": ["Apache-2.0", "MIT"],
+      "copyleft": ["GPL-3.0-only", "AGPL-3.0-only"]
+    }
+```
+
+Or edit the ConfigMap directly:
+
+```bash
+kubectl edit configmap seebom-license-policy -n seebom
+```
+
+---
+
 ## Tech Stack
 
 | Layer | Technology |

backend/cmd/api-gateway/main.go

@@ -26,6 +26,7 @@ func main() {
 	defer chClient.Close()
 
 	exceptionsPath := cfg.ExceptionsFile
+	sbomDirExceptionsPath := cfg.SBOMDir + "/license-exceptions.json"
 
 	// Load license policy (permissive/copyleft classification).
 	if perm, copy, err := license.LoadPolicy(cfg.LicensePolicyFile); err == nil {
@@ -160,11 +161,8 @@ func main() {
 
 	// Projects with license violations (filtered by exceptions).
 	mux.HandleFunc("GET /api/v1/projects/license-violations", func(w http.ResponseWriter, r *http.Request) {
-		// Load current exceptions for filtering.
-		var excIdx *license.ExceptionIndex
-		if idx, err := license.LoadExceptions(exceptionsPath); err == nil {
-			excIdx = idx
-		}
+		// Load current exceptions for filtering (try config path, then SBOM dir).
+		excIdx, _ := license.LoadExceptionsWithFallback(exceptionsPath, sbomDirExceptionsPath)
 		violations, err := chClient.QueryProjectsWithLicenseViolations(r.Context(), excIdx)
 		if err != nil {
 			log.Printf("ERROR: license violations: %v", err)
@@ -216,10 +214,10 @@ func main() {
 		writeJSON(w, http.StatusOK, resp)
 	})
 
-	// ── License Exceptions (read-only from config file) ────────────────
+	// ── License Exceptions (read-only from config file or SBOM dir) ────
 	mux.HandleFunc("GET /api/v1/license-exceptions", func(w http.ResponseWriter, r *http.Request) {
-		idx, err := license.LoadExceptions(exceptionsPath)
-		if err != nil {
+		idx, err := license.LoadExceptionsWithFallback(exceptionsPath, sbomDirExceptionsPath)
+		if err != nil || idx == nil {
 			writeJSON(w, http.StatusOK, license.ExceptionsFile{
 				Version:           "1.0.0",
 				BlanketExceptions: []license.BlanketException{},

backend/cmd/parsing-worker/main.go

@@ -45,14 +45,15 @@ func main() {
 		log.Printf("Using default license policy (tried %s): %v", cfg.LicensePolicyFile, err)
 	}
 
-	// Load license exceptions if available.
+	// Load license exceptions if available (try config path, then SBOM dir fallback).
 	var exceptionsIndex *license.ExceptionIndex
-	if idx, err := license.LoadExceptions(cfg.ExceptionsFile); err == nil {
+	sbomDirExceptionsPath := cfg.SBOMDir + "/license-exceptions.json"
+	if idx, err := license.LoadExceptionsWithFallback(cfg.ExceptionsFile, sbomDirExceptionsPath); err == nil {
 		exceptionsIndex = idx
-		log.Printf("Loaded license exceptions from %s (%d blanket, %d specific)",
-			cfg.ExceptionsFile, len(idx.Raw.BlanketExceptions), len(idx.Raw.Exceptions))
+		log.Printf("Loaded license exceptions (%d blanket, %d specific)",
+			len(idx.Raw.BlanketExceptions), len(idx.Raw.Exceptions))
 	} else {
-		log.Printf("No license exceptions loaded (tried %s): %v", cfg.ExceptionsFile, err)
+		log.Printf("No license exceptions loaded (tried %s, %s): %v", cfg.ExceptionsFile, sbomDirExceptionsPath, err)
 	}
 
 	// Initialize GitHub license resolver for unknown licenses.

backend/internal/clickhouse/queries_github_cache.go

@@ -114,7 +114,11 @@ func (c *Client) QueryArchivedPackages(ctx context.Context) ([]ArchivedPackageIn
 		FROM sbom_packages p FINAL
 		ARRAY JOIN p.package_names AS pkg_name, p.package_purls AS pkg_purl
 		JOIN sboms s FINAL ON p.sbom_id = s.sbom_id
-		JOIN github_repo_metadata m FINAL ON m.archived = true
+		CROSS JOIN (
+			SELECT repo, pushed_at, stargazers
+			FROM github_repo_metadata FINAL
+			WHERE archived = true
+		) m
 		WHERE lower(pkg_purl) LIKE concat('%', m.repo, '%')
 		ORDER BY project_name, s.source_file
 	`)

backend/internal/license/checker.go

@@ -31,10 +31,19 @@ type Policy struct {
 	copyleft   map[string]bool
 }
 
-// built-in defaults, used when no policy file is provided.
+// built-in defaults based on the CNCF Allowed Third-Party License Policy:
+// https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md
+// Apache-2.0 (CNCF project license) + the CNCF Allowlist are permissive.
+// Everything else requires a CNCF Governing Board exception.
 var defaultPermissive = []string{
-	"MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC",
-	"Unlicense", "0BSD", "CC0-1.0", "Zlib", "BSL-1.0", "PSF-2.0",
+	"Apache-2.0",
+	"MIT", "MIT-0",
+	"0BSD", "BSD-2-Clause", "BSD-2-Clause-FreeBSD", "BSD-3-Clause",
+	"ISC",
+	"PSF-2.0", "Python-2.0", "Python-2.0.1",
+	"PostgreSQL",
+	"UPL-1.0", "X11", "Zlib",
+	"OpenSSL", "OpenSSL-standalone", "SSLeay-standalone",
 }
 
 var defaultCopyleft = []string{