vscode/.github/instructions/oss.instructions.md

applyTo

applyTo
{ThirdPartyNotices.txt,cli/ThirdPartyNotices.txt,cglicenses.json,cgmanifest.json}

OSS License Review

When reviewing changes to these files, verify:

ThirdPartyNotices.txt

• Every new entry has a license type header (e.g., "MIT License", "Apache License 2.0")
• License text is present and non-empty for every entry
• License text matches the declared license type (e.g., MIT-declared entry actually contains MIT license text, not Apache)
• Removed entries are cleanly removed (no leftover fragments)
• Entries are sorted alphabetically by package name

cglicenses.json

• New overrides have a justification comment
• No obviously stale entries for packages no longer in the dependency tree

cgmanifest.json

• Package versions match what's actually installed
• Repository URLs are valid and point to real source repositories
• Newly added license identifiers should use SPDX format where possible
• License identifiers match the corresponding ThirdPartyNotices.txt entries

Red Flags

• Any newly added copyleft license (GPL, LGPL, AGPL) — flag immediately (existing copyleft entries like ffmpeg are pre-approved)
• Any "UNKNOWN" or placeholder license text
• License text that appears truncated or corrupted
• A package declared as MIT but with Apache/BSD/other license text (or vice versa)