Configuration Guide

Configuration File

licit uses a YAML file called .licit.yaml in the project root. It is automatically generated with licit init but can be edited manually.

Configuration Resolution

When licit loads the configuration, it follows this priority order:

  1. Explicit path: licit --config /path/to/config.yaml <command>
  2. File in current directory: .licit.yaml in the cwd
  3. Defaults: If no file exists, default values are used

If the file exists but has YAML syntax or validation errors, licit logs a warning and uses the defaults.

Complete Example

# .licit.yaml — licit configuration
# All fields are optional. Default values are shown.

provenance:
  enabled: true
  methods:
    - git-infer          # Methods: git-infer, session-log, git-ai
  session_dirs: []       # Directories with agent session logs
  sign: false            # Sign records with HMAC-SHA256
  sign_key_path: null    # Path to signing key
  confidence_threshold: 0.6  # Minimum threshold to classify as AI
  store_path: .licit/provenance.jsonl

changelog:
  enabled: true
  watch_files:           # Agent config files to monitor
    - CLAUDE.md
    - .cursorrules
    - .cursor/rules
    - AGENTS.md
    - .github/copilot-instructions.md
    - .github/agents/*.md
    - .architect/config.yaml
    - architect.yaml
  output_path: .licit/changelog.md

frameworks:
  eu_ai_act: true        # Enable EU AI Act evaluation
  owasp_agentic: true    # Enable OWASP Agentic Top 10 evaluation
  nist_ai_rmf: false     # Future (V1)
  iso_42001: false       # Future (V1)

connectors:
  architect:
    enabled: false
    reports_dir: .architect/reports
    audit_log: null
    config_path: null
  vigil:
    enabled: false
    sarif_path: null
    sbom_path: null

fria:
  output_path: .licit/fria-report.md
  data_path: .licit/fria-data.json
  organization: ""
  system_name: ""
  system_description: ""

annex_iv:
  output_path: .licit/annex-iv.md
  organization: ""
  product_name: ""
  product_version: ""

reports:
  output_dir: .licit/reports
  default_format: markdown   # markdown, json, html
  include_evidence: true
  include_recommendations: true

Detailed Sections

provenance — Code Traceability

Controls how licit tracks the origin of code (AI vs human).

FieldTypeDefaultDescription
enabledbooltrueEnable traceability
methodslist[str]["git-infer"]Detection methods
session_dirslist[str][]Dirs with session logs
signboolfalseSign records with HMAC
sign_key_pathstr?nullPath to signing key
confidence_thresholdfloat0.6Confidence threshold (0.0-1.0)
store_pathstr.licit/provenance.jsonlPath to provenance store

Available methods:

Example — Enable signing:

provenance:
  sign: true
  sign_key_path: ~/.licit/signing-key

Example — Multiple methods:

provenance:
  methods:
    - git-infer
    - session-log
  session_dirs:
    - ~/.claude/projects/

changelog — Agent Config Monitoring

Status: Functional since v0.3.0. Run with licit changelog.

Tracks changes in AI agent configuration files through git history, producing semantic diffs with severity classification (MAJOR/MINOR/PATCH).

FieldTypeDefaultDescription
enabledbooltrueEnable monitoring
watch_fileslist[str](see example)Files/globs to monitor
output_pathstr.licit/changelog.mdPath of generated changelog

Default monitored files:

FileAgent
CLAUDE.mdClaude Code
.cursorrulesCursor
.cursor/rulesCursor (new format)
AGENTS.mdGitHub Agents
.github/copilot-instructions.mdGitHub Copilot
.github/agents/*.mdGitHub Agents (individual configs)
.architect/config.yamlArchitect
architect.yamlArchitect (alternative)

Patterns with * are resolved using Path.glob(). Exact names check existence in git history.

Processing pipeline:

ConfigWatcher → Semantic Differ → ChangeClassifier → ChangelogRenderer
  (git log)     (YAML/JSON/MD)   (MAJOR/MINOR/PATCH)   (MD/JSON)

Diff formats: YAML and JSON produce field-level diffs (model, llm.provider). Markdown produces section-level diffs (section:Rules). Plain text produces a full content diff.

Output formats: markdown (default) groups by file and sorts by severity. json produces a {"changes": [...]} object.

Example — Add a custom file:

changelog:
  watch_files:
    - CLAUDE.md
    - .cursorrules
    - mi-agente-custom.yaml       # additional file
    - .prompts/**/*.md             # recursive glob

Example — JSON output:

licit changelog --format json --since 2026-01-01

For detailed documentation, see Changelog System.

frameworks — Regulatory Frameworks

Controls which regulatory frameworks are evaluated.

FieldTypeDefaultDescription
eu_ai_actbooltrueEU AI Act (Regulation EU 2024/1689)
owasp_agenticbooltrueOWASP Agentic Top 10
nist_ai_rmfboolfalseNIST AI Risk Management Framework (future)
iso_42001boolfalseISO/IEC 42001 (future)

Example — EU AI Act only:

frameworks:
  eu_ai_act: true
  owasp_agentic: false

connectors — External Integrations

connectors.architect

Integration with Architect to read audit reports and guardrail configuration.

FieldTypeDefaultDescription
enabledboolfalseEnable connector
reports_dirstr.architect/reportsReports directory
audit_logstr?nullPath to JSONL audit log
config_pathstr?nullPath to architect config

Example:

connectors:
  architect:
    enabled: true
    config_path: .architect/config.yaml
    audit_log: .architect/audit.jsonl

connectors.vigil

Integration with Vigil to read security findings in SARIF format.

FieldTypeDefaultDescription
enabledboolfalseEnable connector
sarif_pathstr?nullPath to SARIF file
sbom_pathstr?nullPath to SBOM

Example:

connectors:
  vigil:
    enabled: true
    sarif_path: reports/vigil-results.sarif

fria — Fundamental Rights Impact Assessment

Configuration for the FRIA (EU AI Act Article 27).

FieldTypeDefaultDescription
output_pathstr.licit/fria-report.mdReport path
data_pathstr.licit/fria-data.jsonRaw data path
organizationstr""Organization name
system_namestr""System name
system_descriptionstr""System description

annex_iv — Annex IV Technical Documentation

FieldTypeDefaultDescription
output_pathstr.licit/annex-iv.mdDocument path
organizationstr""Organization name
product_namestr""Product name
product_versionstr""Product version

reports — Report Generation

FieldTypeDefaultDescription
output_dirstr.licit/reportsOutput directory
default_formatstrmarkdownFormat: markdown, json, html
include_evidencebooltrueInclude evidence in reports
include_recommendationsbooltrueInclude recommendations

Data Directory (.licit/)

licit stores all its internal data in the .licit/ directory within the project root.

.licit/
├── .signing-key        # HMAC-SHA256 key (auto-generated if sign=true)
├── provenance.jsonl    # Traceability store (append-only JSONL)
├── changelog.md        # Agent config changelog
├── fria-data.json      # Raw FRIA data
├── fria-report.md      # Human-readable FRIA report
├── annex-iv.md         # Annex IV technical documentation
└── reports/            # Generated reports
    ├── provenance.md          # Provenance report
    ├── compliance-report.md
    ├── compliance-report.json
    └── compliance-report.html

.gitignore recommendation:

# licit — internal data (may contain sensitive information)
.licit/provenance.jsonl
.licit/fria-data.json

# licit — generated reports (commit if desired)
# .licit/reports/

It is recommended to commit .licit.yaml and generated reports, but not the provenance store or raw FRIA data, as they may contain sensitive team information.

Programmatic Usage

The configuration can be loaded and manipulated from Python:

from licit.config.loader import load_config, save_config

# Load
config = load_config()  # Automatically looks for .licit.yaml
config = load_config("/ruta/explícita/.licit.yaml")

# Modify
config.frameworks.owasp_agentic = False
config.connectors.architect.enabled = True

# Save
save_config(config)  # Saves to .licit.yaml
save_config(config, "/otra/ruta/config.yaml")