This file is the repository-level place for third-party notices that must be stated outside package manifests or lockfiles.
- dependency license details remain primarily in package manifests and lockfiles
- repository-level asset provenance is tracked in
configs/third_party_asset_registry.json - first-party storefront and release-proof assets that are easy to mislabel as live publication evidence are also tracked there, so public-facing usage boundaries stay auditable
- add explicit notices here when copied text, media, icons, or vendored source require repository-level attribution
Update this file when you add:
- vendored source code
- copied documentation excerpts
- third-party assets that require redistribution notice
- release bundles with extra attribution requirements
- first-party storefront or release-proof bundles whose provenance and public wording boundaries must stay explicit to avoid overstating live publication