1.2.3

Added

Policy Format Support

• Added --format option to ospac policy init command supporting both YAML and JSON output
• Default output filename now automatically uses selected format extension
• JSON policy format fully supported for all policy operations and evaluations

Changed

Policy Templates - Enhanced Copyleft Restrictions

• Updated all policy templates with more consistent and strict copyleft handling
• Strong copyleft licenses (GPL, AGPL) now set to deny across all templates
• Weak copyleft licenses (LGPL) handling improved:
  • Mobile template: LGPL now deny (app store compliance)
  • Embedded template: LGPL now deny (device distribution complexity)
  • Web template: LGPL changed from review to deny (compliance simplification)
  • Library template: LGPL changed from review to deny (user restriction prevention)
  • Desktop template: LGPL remains review (dynamic linking flexibility)
  • Server template: LGPL remains review (backend service flexibility)
• Permissive licenses (MIT, Apache-2.0, BSD) remain approve in all templates
• Added comprehensive remediation messages for all denied licenses

Policy Command Improvements

• Policy init command now generates format-appropriate output files
• Enhanced validation to work seamlessly with both YAML and JSON formats
• Improved consistency across all policy template rules

1.2.2

Release 1.2.2

Fixed

Data Show Command

• Fixed ospac data show command to use package data directory instead of relative path
• Command now works correctly regardless of the current working directory
• Added JSON file support as primary data source with YAML fallback
• Improved error messages when the license is not found

Details

This patch release fixes a critical bug in the ospac data show command that prevented it from working when executed from different working directories. The command used a hardcoded relative path, which failed to locate the license data files.

Changes:

• Updated the command to use Path(__file__).parent.parent / "data" for proper package data resolution
• Added JSON file support as the primary data source with automatic YAML fallback
• Enhanced error messages to show available licenses when a license is not found
• Verified functionality across multiple directory contexts (/tmp, ~, /, /var, etc.)

1.2.1

[1.2.1] - 2025-11-07

Fixed

Package Data Distribution

• Fixed data files not being included in the installed package
• Moved data directory from ospac/data/ to ospac/ospac/data/ to ensure proper packaging
• Updated all code paths to use package-relative data directory paths instead of relative to the current working directory
• CLI commands now work correctly regardless of which directory the tool is run from
• Updated MANIFEST.in to reflect new data location

Code Improvements

• Updated ospac.cli.commands to use Path(__file__).parent.parent / "data" for data resolution
• Updated ospac.runtime.engine.PolicyRuntime.get_obligations() to use package-relative paths
• Updated ospac.core.compatibility_matrix.CompatibilityMatrix to use package-relative paths
• Made data_dir parameter optional (defaults to None) across all affected functions

1.2.0

OSPAC v1.2.0 Release Notes

Dataset Migration and Performance Improvements

OSPAC v1.2.0 represents a significant architectural upgrade, with a complete migration from YAML to JSON for the dataset format, achieving 100% test coverage and substantial performance improvements.

Added

JSON Dataset Format

• Migrated license dataset from YAML to JSON format for improved parsing reliability
• Added comprehensive JSON schema validation for license data structure
• Enhanced data loading performance and reduced parsing errors
• Support for 712 SPDX licenses in structured JSON format with complete metadata

Enhanced Data Structure

• Complete license information, including properties, requirements, limitations, and obligations
• Detailed compatibility matrices for static and dynamic linking scenarios
• Comprehensive obligation tracking with license-specific requirements
• Structured contamination effect and compatibility notes

Improved API Integration

• JSON-first design optimized for MCP (Model Context Protocol) integration
• Clean, machine-readable output perfect for external system consumption
• Backward compatibility with YAML fallback for legacy support
• Enhanced library API for programmatic usage

Changed

Dataset Architecture

• Primary license data format changed from YAML to JSON
• Reduced dataset size from 5.6MB to 2.8MB (50% reduction)
• Eliminated duplicate data structures and simplified maintenance
• Streamlined file structure for better package distribution

Policy Evaluation Enhancement

• Fixed policy aggregation to preserve remediation and requirements data
• Added comprehensive license obligations to policy evaluation results
• Improved compatibility checking with explicit incompatible license pairs
• Enhanced mobile/embedded distribution recognition in the default policy

Test Coverage

• Achieved 100% test success rate with validation suite
• Added dataset integrity validation for all 712 license files
• Enhanced CLI command testing across all options and scenarios
• Improved library API testing for external system integration

Fixed

Critical Bug Fixes

• Resolved GPL-2.0 + Apache-2.0 compatibility checking issue
• Fixed missing remediation data in policy aggregation results
• Corrected the empty requirements field for denied licenses
• Enhanced mobile distribution type recognition in default policies
• Improved error handling for edge cases in license data loading

Data Quality Improvements

• Corrected license limitation semantics across all SPDX licenses
• Fixed Apache-2.0 license classification as permissive
• Standardized copyleft vs permissive license requirement patterns
• Enhanced compatibility matrix generation with corrected license relationships

Technical Improvements

Architecture Enhancements

• Added JSON schema for license data validation
• Implemented fallback mechanism from JSON to YAML for compatibility
• Enhanced data loading with proper error handling and validation
• Optimized file structure and removed redundant datasets
• Improved package size and distribution efficiency

Performance Optimizations

• 50% reduction in dataset size while maintaining complete functionality
• Faster JSON parsing compared to YAML processing
• Improved memory usage with streamlined data structures
• Enhanced CLI response times across all commands

Breaking Changes

• Primary license data format changed from YAML to JSON
• Policy evaluation now includes comprehensive obligations regardless of approval/denial status
• Some internal API methods updated to support JSON-first architecture

Migration Guide

Existing OSPAC installations will automatically use the new JSON dataset format. No user action required for basic functionality. Custom policy files and CLI usage remain unchanged.

Compatibility

• Maintains full backward compatibility for CLI usage
• Policy files (.yaml) continue to work without modification
• Library API remains stable with enhanced functionality
• Supports Python 3.8+ as before

Validation

This release includes comprehensive testing covering:

• All 712 SPDX license files
• Complete CLI command functionality
• Policy evaluation scenarios
• Library API integration
• Dataset integrity validation
• External system compatibility (MCP)

1.1.5

[1.1.5] - 2025-11-05

Added

Default Enterprise Policy

• Embedded comprehensive default enterprise policy for immediate use without configuration
• Automatic policy loading when no custom policy is specified
• Default policy includes rules for GPL, AGPL, LGPL, permissive licenses, and public domain
• Support for different distribution types: commercial, SaaS, embedded, internal
• Context-aware evaluation for static vs dynamic linking

CLI Enhancements

• Added detailed examples to all CLI commands via help text
• New -o/--output option for check command supporting JSON and text formats
• Improved main help text with common use cases
• User notification when using default policy (in text output mode)

Changed

Output Format

• JSON is now the default output format for all commands (previously text)
• Consistent JSON structure across all commands for better programmatic parsing
• Added using_default_policy field to JSON output for transparency
• Proper serialization of enums and complex types in JSON output

Policy Loading

• Modified PolicyRuntime to automatically load default policy when:
  • No policy directory is specified
  • Specified directory doesn't exist
  • Policy directory is empty
• Package now includes embedded default policy file in ospac/defaults/

Fixed

• Improved rule matching logic for license evaluation
• Fixed JSON serialization errors with ActionType enums
• Enhanced context handling for linking types and distribution modes
• Updated tests to handle new default policy loading behavior

1.1.0

[1.1.0] - 2025-11-05

Added

Dual Licensing Implementation

• Clarified a dual licensing structure for the project
• Added CC BY-NC-SA 4.0 license for the OSPAC license database
• Created DATA_LICENSE file with full Creative Commons license text
• Added LICENSE file to ospac/data/ directory for clarity

Changed

License Structure

• Software code remains under Apache-2.0 license
• License database now protected under CC BY-NC-SA 4.0 for non-commercial use only
• Updated README with comprehensive dual licensing explanation
• Clear separation between software and data licensing terms

Documentation

• Enhanced README license section with a detailed breakdown of dual licensing
• Added guidance for commercial vs non-commercial usage
• Clarified attribution and share-alike requirements for database usage

1.0.4

[1.0.4] - 2025-11-04

Fixed

CLI Command Improvements

• Fixed ospac obligations command returning no output
• Corrected policy loader integration for obligation data retrieval
• Updated get_obligations method to properly traverse the nested policy structure
• Resolved obligation policy path resolution for CLI commands

GitHub Actions Workflow

• Removed duplicate release workflow causing PyPI publishing conflicts
• Consolidated to standard python-publish.yml workflow
• Fixed action errors during the release process

1.0.3

[1.0.3] - 2025-11-04

Fixed

Critical Data Quality Corrections

• Fixed systematic license limitation value errors across all 712 SPDX licenses
• Corrected liability and warranty limitation semantics (false = license disclaims, not provides)
• Fixed Apache-2.0 license classification as permissive (removed incorrect copyleft requirements)
• Corrected MIT license patent grant status (false, as MIT provides no explicit patent grant)
• Fixed Apache-2.0 patent grant status (true, as Apache-2.0 provides explicit patent grants)

Data Generation Pipeline Improvements

• Fixed fallback analysis methods in LLM analyzer and provider modules
• Improved LLM prompt clarity for limitation field semantics
• Enhanced license-specific handling for Apache, MIT, GPL, LGPL, and AGPL families
• Standardized copyleft vs permissive license requirement patterns

AGPL License Data Corrections

• Fixed inconsistent license compatibility data across all AGPL license variants
• Corrected AGPL-3.0.yaml incompatible licenses list (MIT-LICENSED → MIT)
• Fixed AGPL-3.0-or-later.yaml limitation values and same_license requirements
• Updated contamination_effect values for strong copyleft licenses (module → full)
• Standardized incompatible license naming (Proprietary → proprietary)

Database Integrity

• Regenerated the complete license database with corrected pipeline logic
• Ensured consistent data structure and semantics across all license definitions
• Maintained compatibility with existing CLI functionality and policy evaluation
• Verified all 712 SPDX licenses have accurate legal metadata

Technical Details

• Root cause identified in fallback analysis methods with incorrect default values
• Fixed the semantic interpretation of limitation fields in license analysis
• Improved license categorization logic for permissive vs copyleft licenses
• Enhanced compatibility matrix generation with corrected license relationships

1.0.1

Release v1.0.1

What's Changed

• Include default data files in package distribution
• Move data directory to ospac/data/ for proper wheel packaging
• Add MANIFEST.in for source distribution support
• Update pyproject.toml with package-data configuration

Improvements

• Package now ships with 700+ SPDX license definitions
• Pre-generated compatibility matrices and obligation database included
• Tool is immediately usable after pip install without data generation
• Both wheel and source distributions include all required data files

Full Changelog: v0.1.0...v1.0.1

0.1.0

OSPAC v0.1.0 - First Public Release

OSPAC (Open Source Policy as Code) is a comprehensive compliance engine for managing open source license policies programmatically.

Key Features

Policy-as-Code Framework

• Define license compliance rules in YAML
• Evaluate projects against organizational policies
• Context-aware compliance checking (static/dynamic linking, distribution)

Complete SPDX Integration

• 712 SPDX licenses with full metadata
• Compatibility matrix for all license combinations
• Obligation tracking and enforcement

Optional LLM Enhancement

• Support for OpenAI and Ollama providers
• Enhanced license analysis and categorization
• Intelligent compatibility rule generation
• Async/await for LLM operations

CLI Commands

ospac evaluate # Evaluate licenses against policies
ospac check-compat # Check compatibility between licenses
ospac data generate # Generate license database
ospac data show # Display license information

Technical Specifications

• Python 3.9+ support
• GitHub Actions CI/CD
• Tests automatically skip in CI when LLM is unavailable
• PyPI package ready for distribution

This is the first release (v0.1.0) - initial public release with all core functionality implemented and tested.