Sentinel Compliance: Apache-2.0 + REUSE 3.3
"Every file in Zenzic carries the cryptographic signature of its license. There are no dark corners."
1. The License
Zenzic is released under the Apache License 2.0. This is not a policy choice — it is an engineering commitment. Apache-2.0 provides:
| Permission | Details |
|---|---|
| ✅ Commercial use | No restrictions |
| ✅ Modification | Fork, patch, extend |
| ✅ Distribution | Redistribute under same license |
| ✅ Patent grant | Explicit patent license from all contributors |
Conditions:
- Preserve the
LICENSEandNOTICEfiles in distributions. - State significant changes in modified versions.
Full text: LICENSE file at the root of each Zenzic repository.
2. The License Signature — SPDX + REUSE 3.3
Every source file in Zenzic carries an SPDX header — a machine-readable declaration of authorship and license:
# SPDX-FileCopyrightText: 2026 PythonWoods <[email protected]>
# SPDX-License-Identifier: Apache-2.0
This is not a comment. It is a license signature — machine-parseable by any
REUSE 3.3-compliant tool, including reuse lint.
Files without an individual header are covered by REUSE.toml bulk declarations:
[[annotations]]
path = ["docs/**", "i18n/**", "*.md"]
SPDX-License-Identifier = "Apache-2.0"
[[annotations]]
path = ["build/**", "node_modules/**", ".docusaurus/**"]
SPDX-License-Identifier = "Apache-2.0"
Coverage strategy:
| Component | Method |
|---|---|
| Python source files | Per-file SPDX header |
| Shell scripts | Per-file SPDX header |
| Configuration (TOML, YAML) | Per-file header or REUSE.toml |
Documentation (.mdx, .md) | REUSE.toml bulk declaration |
| Auto-generated files | REUSE.toml coverage |
| Binary assets (SVG, PNG) | REUSE.toml bulk declaration |
3. The Single Gate of Truth
uv run reuse lint
This is the only authorised compliance verification command. It:
- Parses every SPDX header in every file.
- Validates all
REUSE.tomlbulk declarations. - Reports any file without coverage as a compliance failure.
- Returns exit 0 only when 100% of files have a declared license.
Expected output:
Congratulations! Your project is compliant with version 3.3 of the REUSE Specification.
This gate runs in:
- The Sentinel Guard pre-commit hook (hook 8 of 8)
just preflight— the full local CI mirror
Any PR that fails uv run reuse lint does not merge.
4. Contributor Policy — No CLA, Multi-Author Copyright
Zenzic uses the multi-author copyright model. No Contributor License Agreement (CLA) is required.
| Scenario | Action |
|---|---|
| New file (any contributor) | Add your own SPDX copyright line |
| Small change (< 10 lines) | Keep existing headers unchanged |
| Substantial contribution | Append your copyright line below existing lines |
Example of multi-author file:
# SPDX-FileCopyrightText: 2026 PythonWoods <[email protected]>
# SPDX-FileCopyrightText: 2026 Contributor Name <[email protected]>
# SPDX-License-Identifier: Apache-2.0
You retain copyright of your contribution. The Apache-2.0 license — including its patent grant — applies automatically upon submission.
5. Third-Party Dependency Policy
Zenzic may only depend on libraries with Apache-2.0-compatible licenses:
| License | Compatible | Notes |
|---|---|---|
| MIT | ✅ | Permissive |
| BSD 2/3-Clause | ✅ | Permissive |
| Apache-2.0 | ✅ | Identical |
| LGPL-3.0 | ✅ | Library use only |
| ISC | ✅ | MIT-equivalent |
| GPL-2.0 / GPL-3.0 | ❌ | Copyleft contamination |
| Proprietary | ❌ | Not open-source |
When adding a dependency:
- Verify license compatibility above.
- Add to the
NOTICEfile: name, URL, copyright holder, license identifier. - Run
uv run reuse lint— no regressions accepted.
6. Legal Disclaimer
This document provides operational guidance, not legal advice. For questions regarding Apache-2.0 compliance, patent grants, or contribution rights in your jurisdiction, consult qualified legal counsel.
References:
Saga VI: The Governance of Quartz — read the chronicle