From 14d3eb2b2f537140bf626b3d109e01834704e5bf Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Mon, 4 May 2026 16:00:23 +0900
Subject: fix(spdx-licenses): reject leading/trailing whitespace in validate

Composer anchors its license expression regex with `^...$`, but Mozart's
parser tokenizer silently skipped edge whitespace, accepting inputs like
" MIT" or "MIT\t". Mirror Composer by rejecting edge whitespace before
parsing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 crates/mozart-spdx-licenses/src/lib.rs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/crates/mozart-spdx-licenses/src/lib.rs b/crates/mozart-spdx-licenses/src/lib.rs
index 10edec0..77ebbce 100644
--- a/crates/mozart-spdx-licenses/src/lib.rs
+++ b/crates/mozart-spdx-licenses/src/lib.rs
@@ -85,6 +85,19 @@ impl SpdxLicenses {
             return false;
         }
 
+        // Fast path: check simple license identifier first.
+        if self.is_valid_license_id(license) {
+            return true;
+        }
+
+        // Composer anchors its regex with `^...$` and never permits leading or
+        // trailing whitespace. Reject it here so the tokenizer (which skips
+        // whitespace as a token separator) doesn't accept it.
+        let bytes = license.as_bytes();
+        if bytes[0].is_ascii_whitespace() || bytes[bytes.len() - 1].is_ascii_whitespace() {
+            return false;
+        }
+
         // Special values
         if license.eq_ignore_ascii_case("NONE") || license.eq_ignore_ascii_case("NOASSERTION") {
             return true;
-- 
cgit v1.3.1