[DNM] chore(ai): Add check-code-attribution Claude Code skill (JAVA-499)

[0xadam-brown]

⚠️ DO NOT REVIEW: This is a test run for Warden configs ⚠️

📜 Description

Adds a check-code-attribution skill that verifies license headers + THIRD_PARTY_NOTICES.md entries for code copied or adapted from third parties. Reports any invalid headers and entries in the branch diff, along with suggestions for their correction.

Implementation notes:

• Executes via Warden on every PR (can also be run locally, eg, in Claude Code).
• Advisory only / does not block merge.
• Generates PR comments with code suggestions for all discovered issues.
• Automatically manages removing stale comments as PRs are updated.

Warden configs: Click to expand

Settings

Setting	Value	Effect
triggers	pull_request + local	Runs on PR open/sync and local warden invocations
failOn	high	Workflow task fails if high-severity findings are present (currently does not block merge)
failCheck	false	Red X on workflow task if it fails
requestChanges	false	Never post REQUEST_CHANGES PR comments
reportOn	low	Create PR comment(s) for findings at low severity level or higher
reportOnSuccess	false (default)	No comment when everything is clean

ignorePaths

Category	Patterns
Infrastructure dirs	.claude/, .github/, .gradle/, .idea/, .mvn/, gradle/
Generated dirs	**/generated/**, **/ksp/**
Generated files	*.aidl, *.api, *.interp, *.tokens, *.g.kt, *.pb.java, *Binding.java, *Grpc.java
Build scripts	gradlew, gradlew.bat

Severity mappings

Level	Triggers	PR behavior
high	License violations (AGPL, copyleft, unlicensed)	REQUEST_CHANGES + fail check
medium	Missing headers, stripped attribution, inconsistent NOTICES, deleted/renamed vendored files	Shown in PR comment
low	Attribution could be improved	Shown in PR comment

💡 Motivation and Context

Third-party code attribution is a legal and compliance requirement. Currently, attribution correctness is only caught during manual code review. This skill automates detection of vendored code in branch diffs and can help us flag missing or incomplete attributions before a PR is merged.

Background: Click to expand

Sentry SDKs and third-party code

3 possible ways third-party code enters Sentry’s SDKs (including sentry-java): 

  1. Plain vanilla dependencies
  2. Shaded code
  3. Vendored code

All third-party code must be properly attributed, and licenses must be compatible with Sentry’s licensing policies. 

• Plain deps + shaded code: We run an enforce-license-compliance GitHub workflow that applies a FOSSA check to all plain vanilla dependencies and our few shaded dependencies, which ensures their licenses are properly attributed and are compatible with Sentry’s licensing policies. 

• Vendored code: Relies on a manual process where developers add attributions to files containing vendored code + include a corresponding entry is included in the THIRD_PARTY_NOTICES.md file that ships with the SDK. Developers are also responsible for ensuring license compatibility.

The criteria for what counts as a proper attribution of vendored code lives in the CODE_ATTRIBUTION_CRITERIA.md file under the heading “Third-Party Code Attribution”.

Goal of this PR: Create a skill that helps us properly attribute vendored code

Types of vendored code: 

1. Vendored code that’s already properly attributed.
2. Vendored code that has an attribution, but it’s incomplete or doesn’t otherwise conform to the criteria from CODE_ATTRIBUTION_CRITERIA.md.
3. Vendored code that has no attribution / no indication that it’s vendored. 

The skill introduced in this PR protects (1) from regression and identifies instances of (2). (Addressing (3) is out of scope – and is obviously non-trivial.)

• addresses: JAVA-499

⚠️ Callouts

Cost is non-trivial!

Rough est: ~ $2500 per month, $30k per year.

Calculation: Click to expand

Initial run of this skill on a PR with a 500 line diff costs ~ $1.00 - $1.50 using Opus 4.6 (link). Subsequent runs tend to be much cheaper (~ $0.01 - $0.50).

First-run PRs on sentry-java during April 2026:

Suppose 1500 initial runs per month (~ $1.25 per run) and 4500 subsequent runs (~ $0.15 per run) = $2550 per month (~ $31k per year) to run this skill on CI.

Substance over particulars

Skill does not mandate that license headers exactly match the template from AGENTS.md so long as all template fields are present.

That^^ lets us maintain our current, diverse header formats and remain relatively unopinionated going forward. Let me know if you think we should be strict about things, and I can update.

💚 How did you test it?

📝 Checklist

• I added GH Issue ID & Linear ID
• I added tests to verify the changes.
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled.
• I updated the docs if needed.
• I updated the wizard if needed.
• Review from the native team if needed.
• No breaking change or entry added to the changelog.
• No breaking change for hybrid SDKs or communicated to hybrid SDKs.

🔮 Next steps

[linear-code]

JAVA-499

[github-actions]

	Fails
🚫	Please consider adding a changelog entry for the next release.

Instructions and example for changelog

Please add an entry to CHANGELOG.md to the "Unreleased" section. Make sure the entry includes this PR's number.

Example:

## Unreleased

### Features

- Add check-code-attribution Claude Code skill (JAVA-499) ([#5444](https://github.com/getsentry/sentry-java/pull/5444))

If none of the above apply, you can opt out of this check by adding #skip-changelog to the PR description or adding a skip-changelog label.

Generated by 🚫 dangerJS against 0c07054

[sentry]

📲 Install Builds

Android

🔗 App Name	App ID	Version	Configuration
SDK Size	io.sentry.tests.size	8.41.0 (1)	release

⚙️ sentry-android Build Distribution Settings

[sentry-warden]

Findings exceed the configured threshold. See the GitHub Check for details.

Test PR — dismissing Warden review

[sentry-warden]

Findings exceed the configured threshold. See the GitHub Check for details.

Removing

Removing

All previously reported issues have been resolved.

All previously reported issues have been resolved.

[github-actions]

Performance metrics 🚀

	Plain	With Sentry	Diff
Startup time	358.88 ms	439.08 ms	80.20 ms
Size	0 B	0 B	0 B

Baseline results on branch: main

Startup times

Revision	Plain	With Sentry	Diff
48277cd	320.38 ms	379.90 ms	59.52 ms
382d6c1	306.85 ms	368.70 ms	61.85 ms
fc5ccaf	279.11 ms	353.34 ms	74.23 ms
9770665	315.64 ms	378.00 ms	62.36 ms
d15471f	315.20 ms	370.22 ms	55.02 ms
62b579c	349.26 ms	426.26 ms	77.00 ms
ee35ac3	346.83 ms	435.48 ms	88.65 ms
cd0981b	313.29 ms	356.63 ms	43.34 ms
22f4345	314.79 ms	375.02 ms	60.23 ms
fcec2f2	311.35 ms	384.94 ms	73.59 ms

App size

Revision	Plain	With Sentry	Diff
48277cd	0 B	0 B	0 B
382d6c1	1.58 MiB	2.29 MiB	719.85 KiB
fc5ccaf	1.58 MiB	2.13 MiB	557.54 KiB
9770665	0 B	0 B	0 B
d15471f	1.58 MiB	2.13 MiB	559.54 KiB
62b579c	0 B	0 B	0 B
ee35ac3	1.58 MiB	2.13 MiB	558.77 KiB
cd0981b	0 B	0 B	0 B
22f4345	1.58 MiB	2.29 MiB	719.83 KiB
fcec2f2	1.58 MiB	2.12 MiB	551.51 KiB

Previous results on branch: chore/check-code-attribution-skill-via-warden

Startup times

Revision	Plain	With Sentry	Diff
b7a62bc	303.51 ms	364.08 ms	60.57 ms

App size

Revision	Plain	With Sentry	Diff
b7a62bc	0 B	0 B	0 B

[sentry-warden]

🚨 AGPL license introduced into Sentry-owned source file

io.sentry.cache.IEnvelopeCache — The added header declares License: AGPL, which is absolutely prohibited under Sentry's open source legal policy (https://open.sentry.io/licensing/). This code must be removed or replaced with a permissively-licensed alternative.

Verification

Read first 50 lines of IEnvelopeCache.java: lines 1–4 contain License: AGPL and Copyright: 1901. Grep of THIRD_PARTY_NOTICES.md for IEnvelopeCache returned no matches. The file is a Sentry-authored interface (package io.sentry.cache); adding an AGPL header means either the code was replaced with AGPL-licensed third-party code or the header is erroneous. Either way, AGPL is an absolute ban per https://open.sentry.io/licensing/.

Also found at 5 additional locations

• sentry/src/main/java/io/sentry/util/CompactJsonWriter.java:1-5
• sentry/src/main/java/io/sentry/util/ConcurrentLruCache.java:1-4
• sentry/src/main/java/io/sentry/util/LeakyBucket.java:1
• sentry/src/main/java/io/sentry/util/SlidingWindow.java:1-4
• sentry/src/main/java/io/sentry/util/TokenBucket.java:1-2

_{Identified by Warden check-code-attribution · 994-N2N}