fix(spdx-licenses): reject leading/trailing whitespace in validate

Composer anchors its license expression regex with `^...$`, but Mozart's
parser tokenizer silently skipped edge whitespace, accepting inputs like
" MIT" or "MIT\t". Mirror Composer by rejecting edge whitespace before
parsing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/crates/mozart-spdx-licenses/src/lib.rs b/crates/mozart-spdx-licenses/src/lib.rs
index 10edec0..77ebbce 100644
--- a/crates/mozart-spdx-licenses/src/lib.rs
+++ b/crates/mozart-spdx-licenses/src/lib.rs
@@ -85,6 +85,19 @@ impl SpdxLicenses {
             return false;
         }
 
+        // Fast path: check simple license identifier first.
+        if self.is_valid_license_id(license) {
+            return true;
+        }
+
+        // Composer anchors its regex with `^...$` and never permits leading or
+        // trailing whitespace. Reject it here so the tokenizer (which skips
+        // whitespace as a token separator) doesn't accept it.
+        let bytes = license.as_bytes();
+        if bytes[0].is_ascii_whitespace() || bytes[bytes.len() - 1].is_ascii_whitespace() {
+            return false;
+        }
+
         // Special values
         if license.eq_ignore_ascii_case("NONE") || license.eq_ignore_ascii_case("NOASSERTION") {
             return true;