validate_policy
Validate licenses against organizational policies for mobile, commercial, SaaS, and other distribution types. Returns clear approve or deny decisions.
Instructions
Validate if licenses are approved or rejected for a specific project/distribution type.
This tool evaluates licenses against organizational policies and returns clear APPROVE or DENY decisions based on the distribution type. This is the primary tool for answering: "Can I use these licenses for my [mobile/commercial/saas/etc] project?"
Key Use Cases:
Check if licenses are approved for mobile app distribution
Validate licenses for commercial products
Ensure SaaS deployment compliance
Verify licenses for embedded systems
Check licenses for any distribution type
Returns clear approve/deny decisions:
action: "approve" (licenses are allowed), "deny" (licenses blocked), or "review" (manual review needed)
severity: "info" (approved), "warning" (review), "error" (denied)
message: Explanation of the decision
requirements: What must be done to comply (if approved)
remediation: How to fix the issue (if denied)
Args: licenses: List of SPDX license IDs to validate (e.g., ["MIT", "Apache-2.0", "GPL-3.0"]) policy_file: Optional custom policy directory (uses enterprise defaults if not provided) distribution: Distribution type - determines policy rules: - "mobile": iOS/Android apps (blocks GPL, allows permissive) - "commercial": Commercial products (blocks strong copyleft) - "saas": Software as a Service (blocks AGPL, allows GPL) - "embedded": Embedded systems (blocks copyleft) - "desktop": Desktop applications - "web": Web applications - "open_source": Open source projects (allows most licenses) - "internal": Internal use only (allows all) context: Optional usage context (e.g., "static_linking", "dynamic_linking")
Returns: Dictionary with: - licenses: List of licenses evaluated - distribution: Distribution type used - context: Context evaluated - result.action: "approve", "deny", or "review" - result.severity: "info" (approved), "warning" (review), or "error" (denied) - result.message: Human-readable decision explanation - result.requirements: List of compliance requirements (if approved) - result.remediation: Suggested fix (if denied, e.g., "Replace with MIT alternative") - using_default_policy: Whether default enterprise policy was used
Examples: # Check if licenses are approved for mobile app validate_policy(["MIT", "Apache-2.0"], distribution="mobile") → action: "approve" ✓
# Check GPL for mobile (will be denied)
validate_policy(["GPL-3.0"], distribution="mobile")
→ action: "deny", remediation: "Replace with permissive alternative"
# Check licenses for commercial distribution
validate_policy(["MIT", "LGPL-2.1", "Apache-2.0"], distribution="commercial")
→ action: "approve" or "review" depending on policy
# Check AGPL for SaaS (will be denied)
validate_policy(["AGPL-3.0"], distribution="saas")
→ action: "deny", reason: "Network copyleft requires source disclosure"Workflow Integration: 1. After scanning: scan_directory() → extract licenses → validate_policy() 2. Quick check: validate_policy(["GPL-3.0"], distribution="mobile") → see if approved 3. Policy enforcement: validate_policy() → if action=="deny" → block deployment
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| context | No | ||
| licenses | Yes | ||
| policy_file | No | ||
| distribution | No | binary |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |