This looks good conceptually, but if we’re supporting SPDX license expressions (note SPDX itself is much more than that) we should make that a requirement, by parsing the value and enforcing the syntax. That means we need a parser and need to have a good set of positive and negative unit tests validating what works and what doesn’t.
Also, per the agreements in the sprint, we’re going to support these expressions strictly, without the loose semantics that are today accepted in, for example, AppStream licenses. Since we’re starting anew, that’s a good chance to make the data sane.