docs: dependency licensing policy + third-party notices

[rsnodgrass]

What this PR ships

Salvages two durable artifacts from long-lived local stashes (the only non-superseded content out of 19 audited) into main.

• AGENTS.md — Dependency Licensing Policy (new section): hard rule against copyleft deps for AI coworkers.
  • Banned: GPL, LGPL, AGPL, SSPL, EUPL, OSL, CPL, EPL, CC-BY-SA
  • Allowed: MIT, Apache-2.0, BSD-2/3-Clause, ISC, Unlicense, CC0, MPL-2.0, Zlib
  • Guidance to verify license before any go get, including transitive pulls.
• THIRD_PARTY_NOTICES.md (new): attribution/notices for bundled third-party dependencies.

Motivation

A 19-stash audit found almost everything either already merged into main or pure beads/config state noise. These two were the only items with real, unmerged value — both licensing-hygiene related, so they ship together as one coherent change. The remaining 17 stashes are being dropped.

Test Plan

Docs-only; no code paths touched. Nothing to build or test. Render-check AGENTS.md section and THIRD_PARTY_NOTICES.md on GitHub.

Summary by CodeRabbit

• Documentation
  • Added dependency licensing policy guidelines detailing acceptable licenses and verification requirements for new dependencies.
  • Added consolidated third-party software license notices and component attributions across multiple license types.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two documentation files are added or updated. AGENTS.md gains a "Dependency Licensing Policy" section banning copyleft licenses and defining a license-verification process. THIRD_PARTY_NOTICES.md is introduced as a new file consolidating third-party attribution notices across MIT, Apache 2.0, BSD 2-Clause, BSD 3-Clause, ISC, and MPL 2.0 licensed components.

Changes

Dependency Licensing Documentation

Layer / File(s)	Summary
Dependency Licensing Policy AGENTS.md	Adds a "Dependency Licensing Policy" section with a hard copyleft ban list, an allowed-license list, and a per-dependency license-verification requirement including guidance for transitive prohibited licenses.
Third-Party Notices document THIRD_PARTY_NOTICES.md	Introduces the full third-party notices file with a document header and six license sections (MIT, Apache 2.0, BSD 2-Clause, BSD 3-Clause, ISC, MPL 2.0), each listing covered components and embedding standard license text.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

🐇 A rabbit checked each package tag,
No copyleft shall fill our bag!
MIT and BSD, approved with cheer,
MPL noted — conditions clear.
Notices filed, the licenses logged,
Our dependency garden is properly blogged! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: dependency licensing policy + third-party notices' accurately and concisely summarizes the main change—the addition of two documentation files establishing dependency licensing guidelines and third-party notices.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/salvage-stashed-docs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

THIRD_PARTY_NOTICES.md (1)

1-234: ⚠️ Potential issue | 🟠 Major

THIRD_PARTY_NOTICES.md is significantly incomplete and missing 183 out of 275 actual dependencies.

The file documents only 92 dependencies while go.mod contains 275 total modules. Critical gaps include:

• bleve search packages: 22 in use, only 1 documented (95% missing)
• cel.dev/expr, cloud.google.com, github.com/GoogleCloudPlatform, github.com/bbalet/stopwords, github.com/aymerick/douceur and many others completely absent

All third-party dependencies redistributed in the project must be documented for license compliance. Add the missing 183 dependencies with their correct license classifications.

The original concern about undocumented license types (Unlicense, CC0, Zlib) is secondary to this broader completeness issue.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@THIRD_PARTY_NOTICES.md` around lines 1 - 234, The THIRD_PARTY_NOTICES.md file
is incomplete, documenting only 92 of 275 actual dependencies from go.mod. Add
all missing 183 dependencies to the appropriate license sections (MIT License,
Apache License 2.0, BSD 2-Clause License, BSD 3-Clause License, ISC License,
Mozilla Public License 2.0, and any other license types present in go.mod). For
each missing dependency including the bleve search packages, cel.dev/expr,
cloud.google.com/*, github.com/GoogleCloudPlatform/*,
github.com/bbalet/stopwords, github.com/aymerick/douceur and others, add entries
in the format of the existing dependencies with the module name and copyright
holder. Ensure all 275 dependencies are documented with correct license
classifications for full compliance.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@THIRD_PARTY_NOTICES.md`:
- Around line 1-234: The THIRD_PARTY_NOTICES.md file is incomplete, documenting
only 92 of 275 actual dependencies from go.mod. Add all missing 183 dependencies
to the appropriate license sections (MIT License, Apache License 2.0, BSD
2-Clause License, BSD 3-Clause License, ISC License, Mozilla Public License 2.0,
and any other license types present in go.mod). For each missing dependency
including the bleve search packages, cel.dev/expr, cloud.google.com/*,
github.com/GoogleCloudPlatform/*, github.com/bbalet/stopwords,
github.com/aymerick/douceur and others, add entries in the format of the
existing dependencies with the module name and copyright holder. Ensure all 275
dependencies are documented with correct license classifications for full
compliance.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8d40cd13-8c46-4f60-baf4-757ac7772c04

📥 Commits

Reviewing files that changed from the base of the PR and between e8a6018 and 90a4373.

📒 Files selected for processing (2)

• AGENTS.md
• THIRD_PARTY_NOTICES.md

[greptile-apps]

Greptile Summary

This PR adds a Dependency Licensing Policy section to AGENTS.md and introduces a new THIRD_PARTY_NOTICES.md attribution file, both focusing on license hygiene for the Go codebase.

• AGENTS.md gains a hard rule banning copyleft dependencies, with explicit allowed/banned license lists and guidance on verifying go get additions — the EPL ban is inconsistent with the MPL-2.0 allowance given both are file-level copyleft.
• THIRD_PARTY_NOTICES.md attributes third-party dependencies by license family, but a large number of entries omit the Go major-version path suffix (e.g., charm.land/bubbles instead of charm.land/bubbles/v2) and at least one direct dependency (github.com/bbalet/stopwords) is absent from the file.

Confidence Score: 4/5

Docs-only change with no code paths touched; safe to merge, though the notices file has accuracy gaps worth addressing before it's treated as an authoritative compliance artifact.

No production code is touched. The licensing policy in AGENTS.md is clear and actionable. The notices file has two categories of inaccuracies — wrong canonical module paths for v2+ modules, and at least one missing direct dependency — that reduce its reliability as a compliance reference but do not block the codebase from building or running correctly.

THIRD_PARTY_NOTICES.md needs the most attention: module paths should match go.mod exactly (including major-version suffixes), and the file should be cross-checked against go.mod for completeness before it is relied upon for license compliance.

Important Files Changed

Filename	Overview
AGENTS.md	New "Dependency Licensing Policy" section added with banned/allowed license lists and go get guidance; EPL is banned while MPL-2.0 is allowed despite both being file-level copyleft, which is an unexplained inconsistency.
THIRD_PARTY_NOTICES.md	New attribution file for third-party dependencies; multiple module paths omit the Go major-version suffix required for v2+ modules, and at least one direct dependency (bbalet/stopwords) is absent from the attributions.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Add new go get dependency] --> B{Check module LICENSE file}
    B --> C{License type?}
    C -->|GPL / LGPL / AGPL\nSSPL / EUPL / OSL\nCPL / EPL / CC-BY-SA| D[❌ BANNED – find alternative]
    C -->|MIT / Apache-2.0\nBSD-2/3-Clause / ISC\nUnlicense / CC0 / Zlib| E[✅ Allowed – proceed]
    C -->|MPL-2.0| F[⚠️ Allowed with caution\nfile-level copyleft only]
    C -->|Unknown| G[Check go module cache\nor upstream repo]
    G --> B
    E --> H{Transitive deps?}
    F --> H
    H -->|Pulls in GPL/LGPL| D
    H -->|All permissive| I[✅ Dependency approved]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Add new go get dependency] --> B{Check module LICENSE file}
    B --> C{License type?}
    C -->|GPL / LGPL / AGPL\nSSPL / EUPL / OSL\nCPL / EPL / CC-BY-SA| D[❌ BANNED – find alternative]
    C -->|MIT / Apache-2.0\nBSD-2/3-Clause / ISC\nUnlicense / CC0 / Zlib| E[✅ Allowed – proceed]
    C -->|MPL-2.0| F[⚠️ Allowed with caution\nfile-level copyleft only]
    C -->|Unknown| G[Check go module cache\nor upstream repo]
    G --> B
    E --> H{Transitive deps?}
    F --> H
    H -->|Pulls in GPL/LGPL| D
    H -->|All permissive| I[✅ Dependency approved]

Loading

_{Reviews (1): Last reviewed commit: "docs: add dependency licensing policy an..." | Re-trigger Greptile}

[greptile-apps]

EPL is listed as banned while MPL-2.0 is explicitly allowed because it is "file-level copyleft (not project-level)." EPL-2.0 shares exactly the same file-level copyleft scope as MPL-2.0 — it only requires modified files (not the whole project) to remain under EPL. If the intent is to ban EPL-1.0 specifically (which has stronger per-plugin propagation semantics), that distinction should be called out; otherwise the rule may confuse contributors who encounter EPL-2.0 dependencies and see no principled reason it differs from allowed MPL-2.0.

Suggested change

	- **Banned licenses:** GPL, LGPL, AGPL, SSPL, EUPL, OSL, CPL, EPL, CC-BY-SA
	- **Allowed licenses:** MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0, MPL-2.0, Zlib
	- **MPL-2.0 note:** Allowed because it is file-level copyleft (not project-level), but prefer MIT/Apache/BSD when alternatives exist
	- **Banned licenses:** GPL, LGPL, AGPL, SSPL, EUPL, OSL, CPL, EPL-1.0, CC-BY-SA
	- **Allowed licenses:** MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0, MPL-2.0, EPL-2.0, Zlib
	- **MPL-2.0 / EPL-2.0 note:** Allowed because both are file-level copyleft (not project-level), but prefer MIT/Apache/BSD when alternatives exist
	- **EPL-1.0 note:** Banned — its per-plugin propagation scope is broader than EPL-2.0/MPL-2.0

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Module paths omit Go major-version suffix for v2+ modules

Several entries use the unversioned module path rather than the canonical path recorded in go.mod. In Go's module system, charm.land/bubbles and charm.land/bubbles/v2 are distinct modules — the notices should match the actual import path so attribution stays unambiguous.

Examples of mismatches (notices path → actual go.mod path):

• charm.land/bubbles → charm.land/bubbles/v2
• charm.land/bubbletea → charm.land/bubbletea/v2
• charm.land/glamour → charm.land/glamour/v2
• charm.land/lipgloss → charm.land/lipgloss/v2
• github.com/alecthomas/chroma → github.com/alecthomas/chroma/v2
• github.com/cenkalti/backoff → github.com/cenkalti/backoff/v4 / v5
• github.com/go-git/go-git → github.com/go-git/go-git/v6
• github.com/godbus/dbus → github.com/godbus/dbus/v5
• github.com/hashicorp/golang-lru → github.com/hashicorp/golang-lru/v2
• github.com/shirou/gopsutil → github.com/shirou/gopsutil/v4

The same pattern occurs for other packages in the Apache-2.0 and BSD sections.

[greptile-apps]

Direct dependency github.com/bbalet/stopwords absent from notices

github.com/bbalet/stopwords appears as a direct dependency in go.mod (line 13) but is not listed anywhere in this file. Since MIT and other permissive licenses require attribution to be preserved in distributions, a notices document that omits direct dependencies is incomplete for compliance purposes. Tools like go-licenses or golicense can generate a full list automatically from go.mod/go.sum.