[Change] dep-security-cleanup — license gate, pycg, dependency hygiene

[djm81]

Why

A socket.dev attribution audit revealed two wrong packages and several GPL-licensed dependencies in specfact-cli's dependency tree. specfact-cli is licensed Apache-2.0. (A)GPL licenses are incompatible with Apache-2.0 and directly block any future enterprise/commercial licensing. GPL-licensed packages in any distributed extra — not just the base install — constitute a license violation that can prevent enterprise adoption. Two packages are also outright wrong: syft (PyPI) is OpenMined's federated ML framework, not the Anchore SBOM tool its comment describes; bearer (PyPI) is a SaaS HTTP auth client, not a security scanner. This change removes all wrong packages, eliminates the GPL breach in distributed extras, and establishes a forward-looking policy for enterprise license cleanliness.

What Changes

Phase 1 (this change): Remove GPL pyan3 and wrong PyPI packages (syft, bearer); add MIT replacements (pycg, bandit, commentjson); add scripts/check_license_compliance.py, allowlist YAML, CI gates, and agent-rules documentation. See OpenSpec change dep-security-cleanup for full capability deltas and file-level impact.

Related Issues/PRs

• Implementation PR: feat: dep-security-cleanup (license gate, pycg, commentjson, review env) #507

OpenSpec Change Proposal: dep-security-cleanup

[djm81]

Implementation tracked in PR #507 (OpenSpec dep-security-cleanup).