Skip to content

feat(validator): enforce license headers on tool Python files (check #8)#474

Merged
potiuk merged 2 commits into
apache:mainfrom
justinmclean:check-headers
Jun 11, 2026
Merged

feat(validator): enforce license headers on tool Python files (check #8)#474
potiuk merged 2 commits into
apache:mainfrom
justinmclean:check-headers

Conversation

@justinmclean

Copy link
Copy Markdown
Member

Summary

Adds check #8 to skill-and-tool-validator: a HARD check requiring every
non-trivial Python source file under tools/ to carry a license header,
either the SPDX one-liner (# SPDX-License-Identifier: Apache-2.0) or the
full Apache Software Foundation preamble.

Skill .md files are intentionally exempt. They already declare their
license through the required license: frontmatter key, which the
frontmatter check (aspect 1) validates, so a separate SPDX comment would
be redundant.

License headers were only caught in code review, if at all. Making it a
HARD validator check moves the failure to validation time and keeps the
repo's ASF licensing compliant by default.

Type of change

  • Skill change (.claude/skills/<name>/) — eval fixtures updated below
  • Tool / bridge contract (tools/<system>/*.md)
  • Python package (tools/*/ with pyproject.toml)
  • Groovy reference impl
  • Cross-cutting (RFC, AGENTS.md, sandbox, privacy-LLM)
  • Documentation (docs/, README.md, CONTRIBUTING.md)
  • Project template (projects/_template/)
  • CI / dev loop (prek, workflows, validators)
  • Other:

Test plan

  • prek run --all-files passes
  • For Python packages touched: uv run pytest / ruff check / mypy passes
  • For Groovy bridges touched: command-line invocation tested end-to-end
  • For skill changes: eval suite passes for the affected skill
    (PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/evals/<skill>/)
  • For skill behaviour changes: a new or updated eval fixture is included in this PR
    (a regression test for the bug fixed / the behaviour added — see CONTRIBUTING.md)
  • Other:

Add a HARD check to skill-and-tool-validator requiring every non-trivial
Python source file under tools/ to carry either the SPDX one-liner or the
full ASF license preamble. Seed the header into the 6
security-tracker-stats-dashboard scripts that lacked it so the real-repo
integration test stays green.

Skill .md files are exempt: they already declare their license via the
required `license:` frontmatter key (validated by the frontmatter check),
so a separate SPDX comment would be redundant.
@justinmclean justinmclean self-assigned this Jun 9, 2026

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ough... How did we miss it :) ?

@potiuk potiuk merged commit fadab63 into apache:main Jun 11, 2026
26 checks passed
@justinmclean

Copy link
Copy Markdown
Member Author

Correctness

[advisory] _MIN_LICENSE_FILE_SIZE — docstring says "characters", code uses st_size (bytes). Equivalent for ASCII; a BOM/multi-byte stub could measure differently. Document as bytes.
[advisory] test_real_repo_tool_python_files_all_have_headers calls find_repo_root() with no skip-guard; in a shallow checkout / out-of-tree run it aborts the session instead of skipping. Add a skipif.

Conventions

[advisory] Shares check-slot #8 with #481 (see cross-PR note) — whichever lands second renumbers.

Security

no findings.

@justinmclean justinmclean mentioned this pull request Jun 11, 2026
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants