licensing: establish third-party asset attribution / NOTICE policy

[yigitdot]

Context

The Copilot review on #135 (discussion_r3282093382) flagged that inline SVG icon path data copied from third-party sets can carry licensing obligations:

• Material Design Icons — Apache-2.0 (requires preserving attribution / NOTICE)
• Simple Icons — CC0 / public domain (no obligation)

PR #135 resolved the immediate case in code: the mail glyph was redrawn from original coordinates (no Material path data), and the X / LinkedIn glyphs are from Simple Icons (CC0). The repo currently carries no third-party-licensed icon code.

The gap

The broader concern is not tracked anywhere. The repo has:

• no LICENSE file and no license field in package.json
• no NOTICE / THIRD-PARTY file
• no documented convention for vetting third-party assets (icons, fonts, images, copied code snippets)

So the next contributor who pastes an icon path, a font, or a snippet from an Apache-2.0 / MIT source has nothing telling them an obligation may apply, and nowhere to record it.

Suggested scope

• Decide whether to add a NOTICE / THIRD-PARTY-LICENSES file and what triggers an entry.
• Document the rule where contributors read it (e.g. AGENTS.md): prefer original or CC0 assets; if a permissively-licensed asset is used, record source + license.
• Optionally audit existing assets (fonts, public/ images, the wordmark SVGs) for the same question.

Surfaced by #135.

[github-actions]

🎯 Agentic Issue Triage

This issue tracks establishing a licensing / attribution policy for third-party assets in the repo. The immediate code concern (PR #135) is already resolved; this is about governance and documentation going forward.

Type: Policy / documentation task
Priority: Low (no current violation; preventive measure)
Labels already applied: documentation, low-priority ✅

---

📋 Summary & context

The repo currently has:

• No LICENSE file (nor license field in package.json)
• No NOTICE / THIRD-PARTY-LICENSES file
• No documented convention for vetting third-party assets

The risk: a future contributor pastes an Apache-2.0 icon path (e.g. from Material Design Icons) with no signal that an attribution obligation may apply.

Existing assets to audit:

• public/wordmark-dark.svg, public/wordmark-light.svg — presumably original
• public/d_logo.png — check origin
• public/presskit/ — check fonts/artwork
• public/decdn_litepaper.pdf — probably fine, but worth noting
• Geist font (loaded via next/font) — OFL-1.1; loading via CDN requires no NOTICE entry, but self-hosting would

✅ Suggested checklist

• Decide on repo license — add a LICENSE file and "license" field in package.json (e.g. proprietary / UNLICENSED, or MIT for the website scaffold)
• Audit existing assets — verify origin + license for public/ images, wordmark-*.svg, and the presskit; document any third-party items
• Add NOTICE / THIRD-PARTY-LICENSES file (if any permissive-license assets are confirmed) — template: <asset name> — <license> — <source URL>
• Update AGENTS.md with asset vetting rule: prefer original or CC0 assets; if a permissively-licensed asset is used, record source + license in NOTICE

🔗 References & resources

• [Apache-2.0 NOTICE requirement]((www.apache.org/redacted) — Section 4(d)
• Simple Icons license (CC0)
• Material Design Icons license (Apache-2.0)
• Geist font license (OFL-1.1)
• [SPDX license identifiers]((spdx.org/redacted) — use these in package.json
• PR that surfaced this: feat(contact): add channel icons to email, linkedin, and x links #135

💡 Nudges for implementation

The smallest useful change that closes the gap:

1. Add one sentence to AGENTS.md under a "Third-party assets" heading: Prefer original or CC0 assets. If you use an Apache-2.0 / MIT asset, add an entry to NOTICE with the asset name, license, and source URL.
2. Create an empty NOTICE file (or one with a heading) so the convention is established even if no entries are needed yet.

The repo-level LICENSE decision is a separate, potentially higher-stakes call (involves the product team), and can be decoupled from the AGENTS.md / NOTICE items.

Generated by Agentic Triage for issue #136 · ● 2.1M · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/issue-triage.md@c7d030cd6d4607b90d9ac3ffc8b24aff4f251632