feat: implement license compliance enforcement and exit code strategy

[PrasanthYT]

Overview

This PR introduces license compliance enforcement into Scanr and finalizes the structured exit code strategy.

Scanr now supports policy-driven license evaluation with explicit CI enforcement semantics and clear separation between vulnerability and license failures.

Final Exit Code Strategy

Exit Code	Meaning
0	Success
1	Execution error
2	Vulnerability policy violation
3	License policy violation
4	Both vulnerability and license violations

This ensures explicit failure domain separation.

License Policy Model

Extended scanr.toml:

[license]
enabled = true
block = ["GPL-3.0", "AGPL-3.0"]
allow_only = []
fail_on_unknown = true
enforce_in_ci = true

Internal Architecture

New module:

scanr-core/src/license/
    mod.rs
    extractor.rs
    evaluator.rs

Core Structures

pub struct LicensePolicy {
    pub enabled: bool,
    pub block: Vec<String>,
    pub allow_only: Vec<String>,
    pub fail_on_unknown: bool,
    pub enforce_in_ci: bool,
}

pub struct LicenseInfo {
    pub package: String,
    pub version: String,
    pub license: String,
}

Evaluation remains pure and side-effect free.

Pure Evaluation Logic

pub fn evaluate_licenses(
    deps: &[LicenseInfo],
    policy: &LicensePolicy,
) -> LicenseEvaluationResult

• No exit logic
• No printing
• Deterministic behavior
• Returns violations + summary

CLI Enforcement Layer

Enforcement occurs only in CLI layer.

Rules:

• Always evaluate
• Enforce only in CI mode if configured
• Exit codes mapped via structured strategy

Combined violations return exit code 4.

Output Behavior

Normal Mode

License Compliance

Violations: 2
- minimatch@10.2.2 uses GPL-3.0 (blocked)
- legacy-lib@1.0.0 has UNKNOWN license

Result: WARN (non-blocking)

CI Mode

License Compliance

Violations: 2

CI Result: FAIL
Exit Code: 3

License Summary Section

Always appended:

License Summary:
MIT: 320
Apache-2.0: 150
GPL-3.0: 2
UNKNOWN: 3

Validation

• Blocked license in normal mode → exit 0
• Blocked license in CI mode → exit 3
• Vulnerability + license violation → exit 4
• fail_on_unknown=false behaves correctly
• allow_only enforced correctly
• Deterministic output verified

Impact

Scanr now supports:

• Vulnerability enforcement
• Baseline tracking
• Offline caching
• Dependency tracing
• License compliance enforcement
• Explicit CI exit semantics

This significantly increases enterprise readiness and DevSecOps compatibility.

🎯 Why This Milestone Matters

This milestone formalizes Scanr’s governance layer.

It transforms Scanr from:

A security scanner

Into:

A policy-enforcing DevSecOps control point.

You now have a serious, production-grade security tool.