[DNM] chore(ai): Add check-code-attribution Claude Code skill (JAVA-499)

[0xadam-brown]

⚠️ DO NOT REVIEW: This is a test run for Warden configs ⚠️

📜 Description

Adds a check-code-attribution skill that verifies license headers + THIRD_PARTY_NOTICES.md entries for code copied or adapted from third parties. Reports any invalid headers and entries in the branch diff, along with suggestions for their correction.

Implementation notes:

• Executes via Warden on every PR (can also be run locally, eg, in Claude Code).
• Blocks merging via a "Requires Changes" comment for high-severity issues (viz., licensing). Can be dismissed via the command line but not via the GitHub UI.
• Generates non-blocking PR comments with code suggestions for medium-severity issues (e.g., missing fields in license headers).
• Automatically manages removing stale comments as PRs are updated.
• Atm workflow is not required on GitHub (i.e., the "Requires Changes" comment is the only blocking mechanism).

Warden configs: Click to expand

Settings

Setting	Value	Effect
triggers	pull_request + local	Runs on PR open/sync and local warden invocations
failOn	high	Workflow task fails if high-severity findings are present (currently does not block merge)
failCheck	true	Red X on workflow task if it fails
requestChanges	true	REQUEST_CHANGES PR comment when high-severity finding exists
reportOn	low	Create PR comment(s) for findings at low severity level or higher
reportOnSuccess	false (default)	No comment when everything is clean

ignorePaths

Category	Patterns
Infrastructure dirs	.claude/, .github/, .gradle/, .idea/, .mvn/, gradle/
Generated dirs	**/generated/**, **/ksp/**
Generated files	*.aidl, *.api, *.interp, *.tokens, *.g.kt, *.pb.java, *Binding.java, *Grpc.java
Build scripts	gradlew, gradlew.bat

Severity mappings

Level	Triggers	PR behavior
high	License violations (AGPL, copyleft, unlicensed)	REQUEST_CHANGES + fail check
medium	Missing headers, stripped attribution, inconsistent NOTICES, deleted/renamed vendored files	Shown in PR comment
low	Attribution could be improved	Shown in PR comment

💡 Motivation and Context

Third-party code attribution is a legal and compliance requirement. Currently, attribution correctness is only caught during manual code review. This skill automates detection of vendored code in branch diffs and can help us flag missing or incomplete attributions before a PR is merged.

Background: Click to expand

Sentry SDKs and third-party code

3 possible ways third-party code enters Sentry’s SDKs (including sentry-java): 

  1. Plain vanilla dependencies
  2. Shaded code
  3. Vendored code

All third-party code must be properly attributed, and licenses must be compatible with Sentry’s licensing policies. 

• Plain deps + shaded code: We run an enforce-license-compliance GitHub workflow that applies a FOSSA check to all plain vanilla dependencies and our few shaded dependencies, which ensures their licenses are properly attributed and are compatible with Sentry’s licensing policies. 

• Vendored code: Relies on a manual process where developers add attributions to files containing vendored code + include a corresponding entry is included in the THIRD_PARTY_NOTICES.md file that ships with the SDK. Developers are also responsible for ensuring license compatibility.

The criteria for what counts as a proper attribution of vendored code lives in the CODE_ATTRIBUTION_CRITERIA.md file under the heading “Third-Party Code Attribution”.

Goal of this PR: Create a skill that helps us properly attribute vendored code

Types of vendored code: 

1. Vendored code that’s already properly attributed.
2. Vendored code that has an attribution, but it’s incomplete or doesn’t otherwise conform to the criteria from CODE_ATTRIBUTION_CRITERIA.md.
3. Vendored code that has no attribution / no indication that it’s vendored. 

The skill introduced in this PR protects (1) from regression and identifies instances of (2). (Addressing (3) is out of scope – and is obviously non-trivial.)

• addresses: JAVA-499

⚠️ Callouts

Cost is non-trivial!

Rough est: ~ $2500 per month, $30k per year.

Calculation: Click to expand

Initial run of this skill on a PR with a 500 line diff costs ~ $1.00 - $1.50 using Opus 4.6 (link). Subsequent runs tend to be much cheaper (~ $0.01 - $0.50).

First-run PRs on sentry-java during April 2026:

Suppose 1500 initial runs per month (~ $1.25 per run) and 4500 subsequent runs (~ $0.15 per run) = $2550 per month (~ $31k per year) to run this skill on CI.

Substance over particulars

Skill does not mandate that license headers exactly match the template from AGENTS.md so long as all template fields are present.

That^^ lets us maintain our current, diverse header formats and remain relatively unopinionated going forward. Let me know if you think we should be strict about things, and I can update.

💚 How did you test it?

📝 Checklist

• I added GH Issue ID & Linear ID
• I added tests to verify the changes.
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled.
• I updated the docs if needed.
• I updated the wizard if needed.
• Review from the native team if needed.
• No breaking change or entry added to the changelog.
• No breaking change for hybrid SDKs or communicated to hybrid SDKs.

🔮 Next steps

[linear-code]

JAVA-499

[github-actions]

	Fails
🚫	Please consider adding a changelog entry for the next release.

Instructions and example for changelog

Please add an entry to CHANGELOG.md to the "Unreleased" section. Make sure the entry includes this PR's number.

Example:

## Unreleased

### Features

- Add check-code-attribution Claude Code skill (JAVA-499) ([#5444](https://github.com/getsentry/sentry-java/pull/5444))

If none of the above apply, you can opt out of this check by adding #skip-changelog to the PR description or adding a skip-changelog label.

Generated by 🚫 dangerJS against 0671b77

[sentry]

📲 Install Builds

Android

🔗 App Name	App ID	Version	Configuration
SDK Size	io.sentry.tests.size	8.41.0 (1)	release

⚙️ sentry-android Build Distribution Settings

[sentry-warden]

Findings exceed the configured threshold. See the GitHub Check for details.

Test PR — dismissing Warden review

[sentry-warden]

Findings exceed the configured threshold. See the GitHub Check for details.

Removing

Removing

All previously reported issues have been resolved.

All previously reported issues have been resolved.

[github-actions]

Performance metrics 🚀

	Plain	With Sentry	Diff
Startup time	358.88 ms	439.08 ms	80.20 ms
Size	0 B	0 B	0 B

Baseline results on branch: main

Startup times

Revision	Plain	With Sentry	Diff
48277cd	320.38 ms	379.90 ms	59.52 ms
382d6c1	306.85 ms	368.70 ms	61.85 ms
fc5ccaf	279.11 ms	353.34 ms	74.23 ms
9770665	315.64 ms	378.00 ms	62.36 ms
d15471f	315.20 ms	370.22 ms	55.02 ms
62b579c	349.26 ms	426.26 ms	77.00 ms
ee35ac3	346.83 ms	435.48 ms	88.65 ms
cd0981b	313.29 ms	356.63 ms	43.34 ms
22f4345	314.79 ms	375.02 ms	60.23 ms
fcec2f2	311.35 ms	384.94 ms	73.59 ms

App size

Revision	Plain	With Sentry	Diff
48277cd	0 B	0 B	0 B
382d6c1	1.58 MiB	2.29 MiB	719.85 KiB
fc5ccaf	1.58 MiB	2.13 MiB	557.54 KiB
9770665	0 B	0 B	0 B
d15471f	1.58 MiB	2.13 MiB	559.54 KiB
62b579c	0 B	0 B	0 B
ee35ac3	1.58 MiB	2.13 MiB	558.77 KiB
cd0981b	0 B	0 B	0 B
22f4345	1.58 MiB	2.29 MiB	719.83 KiB
fcec2f2	1.58 MiB	2.12 MiB	551.51 KiB

Previous results on branch: chore/check-code-attribution-skill-via-warden

Startup times

Revision	Plain	With Sentry	Diff
b7a62bc	303.51 ms	364.08 ms	60.57 ms

App size

Revision	Plain	With Sentry	Diff
b7a62bc	0 B	0 B	0 B

[sentry-warden]

⚠️ Copyright line stripped from vendored file header

⚠️ The Copyright (C) 2010 Square, Inc. line was removed from this vendored file's header. THIRD_PARTY_NOTICES.md (line 97/104) confirms the copyright holder is Square, Inc. — please restore the copyright line.

Verification

1. Read first 20 lines of FileObjectQueue.java — header now has 'Adapted from' URL and 'Licensed under Apache 2.0' but no copyright line. 2. Grep THIRD_PARTY_NOTICES.md for 'FileObjectQueue' — entry at line 93–111 confirms 'Copyright (C) 2010 Square, Inc.' and the embedded license text includes the same copyright. 3. The diff explicitly shows removal of Copyright (C) 2010 Square, Inc. on a - line. This is a required attribution field for vendored code.

Suggested fix: Restore the copyright line in the file header.

Suggested change

	/*
	* Adapted from: https://github.com/square/tape/tree/445cd3fd0a7b3ec48c9ea3e0e86663fe6d3735d8/tape/src/main/java/com/squareup/tape2
	*
	* Copyright (C) 2010 Square, Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* Copyright (C) 2010 Square, Inc.
	*

Also found at 2 additional locations

• sentry/src/main/java/io/sentry/CircularFifoQueue.java:4
• sentry/src/main/java/io/sentry/CircularFifoQueue.java:1-10

_{Identified by Warden check-code-attribution · FGM-ZTM}

[sentry-warden]

GPL-licensed code added to MIT-licensed repository

🚨 io.sentry.cache.CacheUtils — Header declares GPL License, which is strong copyleft and incompatible with this MIT-licensed repository per Sentry's Open Source Legal Policy. GPL code must not be included — remove it or replace with a permissively-licensed alternative.

Verification

Read first 20 lines of CacheUtils.java: header on lines 1–4 states GPL License / Copyright 2000. Grepped THIRD_PARTY_NOTICES.md for CacheUtils — no entry found. GPL is classified as strong copyleft in the severity guide, requiring legal review and flagged as high severity.

Also found at 2 additional locations

• sentry/src/main/java/io/sentry/util/CompactJsonWriter.java:3-3
• sentry/src/main/java/io/sentry/util/CompactJsonWriter.java:1-5

_{Identified by Warden check-code-attribution · 9N9-FPN}