getsentry · 0xadam-brown · May 21, 2026 · May 8, 2026 · May 19, 2026
@@ -8,3 +8,5 @@
 !test/**
 !btrace-perfetto/
 !btrace-perfetto/**
+!check-code-attribution/
+!check-code-attribution/**
@@ -0,0 +1,53 @@
+[
+  {
+    "id": "header-complete-and-notice-present",
+    "file": "HeaderCompleteAndNoticePresent.java",
+    "expectFinding": false,
+    "notes": "Header matches catalog entry"
+  },
+  {
+    "id": "header-complete-but-notice-missing",
+    "file": "HeaderCompleteButNoticeMissing.java",
+    "expectFinding": true,
+    "isolated": true,
+    "notes": "Full header; no catalog / root NOTICES entry. Isolated: prompt-cache priming in a concurrent batch suppresses the missing-NOTICES finding below medium."
+  },
+  {
+    "id": "header-missing-but-notice-present",
+    "file": "HeaderMissingButNoticePresent.java",
+    "expectFinding": true,
+    "isolated": true,
+    "notes": "NOTICES entry claims file is vendored but file has no attribution header. Isolated: a complete NOTICES entry suppresses the missing-header finding in a concurrent batch."
+  },
+  {
+    "id": "header-fully-stripped",
+    "file": "HeaderFullyStripped.java",
+    "expectFinding": true,
+    "notes": "Header has no required attribution fields"
+  },
+  {
+    "id": "header-partially-stripped",
+    "file": "HeaderPartiallyStripped.java",
+    "expectFinding": true,
+    "notes": "Adapted from + URL only; no copyright or license name"
+  },
+  {
+    "id": "header-missing-non-essential-info",
+    "file": "HeaderMissingNonEssentialInfo.java",
+    "expectFinding": false,
+    "notes": "All four required fields present; no license boilerplate — boilerplate is not required in the header"
+  },
+  {
+    "id": "header-vs-notice-mismatch",
+    "file": "THIRD_PARTY_NOTICES.md",
+    "expectFinding": true,
+    "isolated": true,
+    "notes": "Copyright in metadata field does not match embedded license text. Isolated: mismatch finding needs an independent assertion free of interference from other NOTICES changes."
+  },
+  {
+    "id": "new-license-type",
+    "file": "NewLicenseType.java",
+    "expectFinding": true,
+    "notes": "AGPL v3 license in file header — absolute ban, must be removed"
+  }
+]
@@ -0,0 +1,86 @@
+# Attribution skill validation tests
+
+Self-contained samples for validating `check-code-attribution` without touching production SDK sources.
+
+
+## Run the tests
+
+```bash
+./check-code-attribution-tests.sh
+```
+
+Requires Node.js and a Warden provider (see **Warden CLI** below).
+
+In practice, straight command line runs tend to be a bit flakier than asking Claude Code to run the tests for you.
+
+## Local development
+
+### Discovering changed files
+
+When running `/check-code-attribution` outside Warden, list files changed on the current branch vs the base branch, then apply the same exclusions as `ignorePaths` in `warden.toml`:
+
+```bash
+MB=$(git merge-base HEAD origin/main 2>/dev/null || git merge-base HEAD main)
+git diff --name-only "${MB}"..HEAD
+```
+
+### Warden CLI
+
+Warden does **not** use Cursor auth. Before running Warden locally, configure a provider (same model family as `warden.toml`, or override with `-m`):
+
+```bash
+# Option A: Anthropic API key (matches CI model in warden.toml)
+export WARDEN_ANTHROPIC_API_KEY=sk-ant-...   # or: export ANTHROPIC_API_KEY=sk-ant-...
+
+# Option B: Pi OAuth / API key store (~/.pi/agent/auth.json)
+npx pi    # then run /login and pick Anthropic (or another provider)
+
+# Option C: Different provider for a one-off run
+export WARDEN_OPENAI_API_KEY=sk-...
+npx @sentry/warden origin/main..HEAD --skill check-code-attribution -m openai/gpt-5.5 -vv
+```
+
+```bash
+npx @sentry/warden origin/main..HEAD --skill check-code-attribution -vv
+```
+
+## Layout
+
+- `EXPECTED.json` — scenario IDs and expected outcomes (single source of truth).
+- `THIRD_PARTY_NOTICES.catalog.md` — NOTICES-style entries for validation class names.
+- `scenarios/` — `.java` files and `THIRD_PARTY_NOTICES.mismatch-snippet.md` (copyright-mismatch fixture).
+- `check-code-attribution-tests.sh` — runs Warden on a temp branch and asserts per-scenario pass/fail.
+- `assert-scenarios.mjs` — validation driver (`list-isolated`, `routing-set`, `assert` subcommands); parses Warden JSONL and checks outcomes from `EXPECTED.json`.
+
+### assert-scenarios.mjs commands
+
+```bash
+node assert-scenarios.mjs validate EXPECTED.json scenarios/     # pre-flight (no API); run automatically by the shell script
+node assert-scenarios.mjs list-isolated EXPECTED.json           # id<TAB>file per isolated scenario
+node assert-scenarios.mjs list-main-java EXPECTED.json scenarios/  # .java files for the main Warden batch
+node assert-scenarios.mjs routing-set routing.json <id> <path>     # update id → Warden JSONL path
+node assert-scenarios.mjs assert EXPECTED.json <dest-pkg> routing.json
+```
+
+Warden runs are limited to 300s. On macOS the script uses `gtimeout` (from `brew install coreutils`) when available, otherwise GNU `timeout`, otherwise `perl` with `alarm`.
+
+## Add a scenario
+
+1. Add `scenarios/<UniqueClassName>.java`.
+2. Add or omit a catalog entry in `THIRD_PARTY_NOTICES.catalog.md`.
+3. Add an entry to `EXPECTED.json`.
+4. **Isolation (if needed):** If the scenario relies on a finding that could be suppressed by Anthropic prompt-cache priming when analyzed alongside many other files (e.g. a missing-NOTICES entry, or a missing header on a file that has a complete NOTICES entry), add `"isolated": true` to its `EXPECTED.json` entry. The test script creates a dedicated worktree for each isolated scenario automatically — no changes to the script itself are needed.
+
+## Validation (maintainers)
+
+Test samples live under `validation-tests/` and are excluded from normal skill runs via `.claude/**` in `warden.toml`.
+
+```bash
+.claude/skills/check-code-attribution/validation-tests/check-code-attribution-tests.sh
+```
+
+Expected outcomes are in `EXPECTED.json`. The script creates isolated git worktrees, runs Warden with `--report-on medium --json`, and asserts per-scenario pass/fail. Scenarios marked `"isolated": true` in `EXPECTED.json` each get their own worktree to avoid Anthropic prompt-cache priming that can suppress findings below medium in concurrent batches. Exit 0 = all pass.
+
+When manually reviewing a file under `scenarios/`, search `THIRD_PARTY_NOTICES.catalog.md` in addition to root `THIRD_PARTY_NOTICES.md` (Quick triage step 2 in `SKILL.md`).
+
+Non-Java fixtures required by the test script are listed in `REQUIRED_SCENARIO_FIXTURES` in `assert-scenarios.mjs`; pre-flight `validate` fails if any are missing.
@@ -0,0 +1,130 @@
+# Test THIRD_PARTY_NOTICES catalog (not shipped)
+
+Used only when validating `check-code-attribution` against `validation-tests/scenarios/**`.
+Grep this file in addition to the repository root `THIRD_PARTY_NOTICES.md`.
+
+---
+
+## Example — HeaderFullyStripped (MIT)
+
+**Source:** https://github.com/example/attribution-fixtures<br>
+**License:** MIT License<br>
+**Copyright:** Copyright (c) 2016 Example Author
+
+### Scope
+
+Attribution validation sample. The code resides in `io.sentry.skills.verification.HeaderFullyStripped` (`validation-tests/scenarios/HeaderFullyStripped.java`).
+
+```
+MIT License
+
+Copyright (c) 2016 Example Author
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+```
+
+---
+
+## Example — HeaderMissingButNoticePresent (Apache 2.0)
+
+**Source:** https://github.com/example/notices-without-header<br>
+**License:** Apache License 2.0<br>
+**Copyright:** Copyright 2023 Example Corp.
+
+### Scope
+
+Attribution validation sample. The code resides in `io.sentry.skills.verification.HeaderMissingButNoticePresent`.
+
+```
+Copyright 2023 Example Corp.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```
+
+---
+
+## Example — HeaderMissingNonEssentialInfo (MIT)
+
+**Source:** https://github.com/example/examplelib<br>
+**License:** MIT License<br>
+**Copyright:** Copyright 2020 Example Corp.
+
+### Scope
+
+Attribution validation sample. The code resides in `io.sentry.skills.verification.HeaderMissingNonEssentialInfo`.
+
+```
+MIT License
+
+Copyright (c) 2020 Example Corp.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+```
+
+---
+
+## Example — HeaderCompleteAndNoticePresent (Apache 2.0)
+
+**Source:** https://github.com/example/something<br>
+**License:** Apache License 2.0<br>
+**Copyright:** Copyright 2020 Example Authors
+
+### Scope
+
+Attribution validation sample. The code resides in `io.sentry.skills.verification.HeaderCompleteAndNoticePresent`.
+
+```
+Copyright 2020 Example Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```