Implement universal compliance workflow and remove project-type-specific tools

[oscarvalenzuelab]

Summary

Replaces project-type-specific tools with a universal compliance workflow that works for ANY distribution type (mobile, desktop, SaaS, embedded, etc.).

Changes

1. Removed generate_mobile_legal_summary

• Deleted specialized mobile-only tool
• Doesn't scale - would need separate tools for desktop, embedded, etc.
• Replaced with universal approach

2. Added run_compliance_check - Universal Workflow Tool

Single tool that executes complete compliance workflow for ANY project type:

run_compliance_check(
    path="/path/to/project",
    distribution_type="mobile",  # OR desktop, saas, embedded, etc.
    policy_file=None,  # Uses default if not specified
    check_vulnerabilities=True
)

Automatic workflow:

1. Scan for licenses and packages
2. Generate NOTICE.txt with purl2notices
3. Validate against policy using ospac
4. Generate sbom.json
5. Check vulnerabilities
6. Return APPROVED/REJECTED decision + risk level

Outputs:

• NOTICE.txt - Complete legal notices with copyright extraction
• sbom.json - Software Bill of Materials
• Comprehensive report with actionable recommendations

3. Enhanced Tool Descriptions (Agent Usability)

All tools now include structured guidance:

• WHEN TO USE - Clear scenarios
• WHEN NOT TO USE - Prevents confusion
• WORKFLOW POSITION - Where it fits in workflows
• COMMON WORKFLOWS - Complete examples

Key improvements:

• generate_legal_notices marked as PRIMARY TOOL for legal docs
• scan_directory marked as FIRST STEP
• validate_license_list positioned for QUICK validation
• All tools show complete workflow sequences

4. Updated Server Instructions

• Standard universal workflow documented
• Two clear options: one-shot vs manual orchestration
• Emphasized: NO project-type-specific tools exist
• Distribution type is just a parameter for policy context

5. Updated All Configuration Files

Replaced generate_mobile_legal_summary with run_compliance_check in:

• .cursor/mcp.json.example
• .kiro/settings/mcp.json.example
• examples/mcp_client_config.json
• guides/IDE_INTEGRATION_GUIDE.md
• README.md

Rationale

Problem: Creating specialized tools for each distribution type doesn't scale:

• Would need: generate_mobile_*, generate_desktop_*, generate_embedded_*, etc.
• Agents confused about which tool to use
• Duplicated functionality with slight variations

Solution: Universal standardized workflow:

• ONE tool works for EVERYTHING
• Distribution type is policy validation context, not separate workflow
• Uses default policy if user doesn't specify
• Scales to any future distribution type without code changes

Standard Workflow (Works for Everything)

Option 1 - One-Shot (Recommended):

run_compliance_check(path, distribution_type="mobile")
→ APPROVED/REJECTED + NOTICE.txt + sbom.json

Option 2 - Manual Steps:

1. scan_directory (discover licenses + packages)
2. generate_legal_notices (PRIMARY - purl2notices for complete docs)
3. validate_license_list or validate_policy (ospac validation)
4. generate_sbom (documentation)
5. Compile final report

Benefits

✅ Simplifies agent decision-making - clear which tool to use
✅ Reduces tool count - one universal tool vs many specialized ones
✅ Consistent workflow - same process for all project types
✅ Better scalability - works for any distribution type
✅ Default policy support - works without configuration
✅ Clear guidance - agents understand tool purposes and sequences

Testing

Tested workflow execution:

• ✅ Tool descriptions provide clear guidance
• ✅ Universal workflow documented
• ✅ All config files updated
• ✅ No references to removed mobile tool

Breaking Changes

Removed: generate_mobile_legal_summary

Migration: Use run_compliance_check instead, or manually call generate_legal_notices which is the primary tool for legal documentation.

Note: generate_legal_notices was always the correct tool for complete legal documentation. The mobile tool was redundant and caused confusion.