[Medium] Sprite GIFs ship without attribution or per-asset licenses

[json9512]

What

Bundled and server-side sprite GIFs:

• `Sources/UI/Sprites/Assets/{otter,sleepycat_1,sleepycat_3,sleepycat_5}_*.gif` — 24 files
• `server/sprite-assets/peak/peak_{blue,green,pink}_*.gif` — 18 files

There's no:

• `ATTRIBUTIONS.md` or per-asset `LICENSE` file alongside them
• upstream URL in the codebase
• author / origin field in any commit message

`scripts/prepare_sprites.py:1-9` documents that the raw assets were pulled from `~/Downloads` and re-encoded. The only license claim in source is hard-coded in `Sources/UI/Sprites/SpritePackManager.swift:109`:

```swift
let manifest = SpriteManifest(
version: 1, name: name, author: "Community", license: "CC0",
format: "gif", frameSize: nil, animations: nil
)
```

That's an assertion, not provenance.

Why this matters

Open-sourcing the repo under MIT redistributes these GIFs. If they actually come from itch.io / Pinterest / etc., the redistribution likely violates the original creator's terms — even if those terms are permissive, attribution is usually required.

Suggested fix

• Add `Sources/UI/Sprites/Assets/ATTRIBUTIONS.md` and `server/sprite-assets/peak/ATTRIBUTIONS.md` listing for each sprite family: source URL, author/handle, license name + URL, and any required attribution string.
• If provenance can't be established for any asset, replace it (commission, generate, or pick a verified CC0 set) before going public.
• Reflect the real license in the manifest (`license: "..."`) per pack instead of the hard-coded "CC0".

Acceptance

• Every bundled sprite has a verifiable source + license.
• `ATTRIBUTIONS.md` files cover all of them.
• `SpritePackManager.loadBuiltinGIF` reads license from a per-pack manifest rather than a literal.

[json9512]

Deployment impact: depends on the fix

• Attribution-only (add `ATTRIBUTIONS.md` next to the GIFs): NOT breaking. No binary or asset change.
• Sprite replacement (if any can't be re-licensed): mildly breaking. Pack ids in `SpritePackManager.loadBuiltinGIF` are derived from filename prefix (`builtin-otter`, `builtin-sleepycat-cream`, etc., see lines 88-92). Renaming or removing a sprite changes its id. Users whose `sshido.activeSpritePack` UserDefault points at the old id will fall back to the first installed pack — handled gracefully by `SpritePackManager.init` lines 25-29 (no crash, just a reset). Acceptable degradation; not blocking.

If replacement is needed, new App Store submission required.