USCO's Part 2 AI Report changed the copyright analysis for AI-generated code. Doe v. GitHub is still being litigated. AGPL contamination still shows up in production scans. The IP cluster traces all of it.
Open-source licenses range from "use freely, even commercially" to "if you ship this on the network, your entire app's source must be public." AI coding tools reproduce code from all of them with no license headers attached. The license obligations travel with the code anyway. This is the cheat sheet you can reference when something flags in a scan or shows up unexpectedly in a dependency tree.
An SBOM is a machine-readable inventory of every software component in your application — direct dependencies, transitive dependencies, versions, licenses, suppliers. Procurement teams at large enterprises and the US federal government now require them; the EU's Cyber Resilience Act will require them for products sold in the EU starting late 2027. The good news: generating one for a JS or Python app takes minutes with the right tool.
Two different questions get conflated all the time: "does GitHub own this?" (a contract question — answered no in their TOS) and "does anyone own this?" (a copyright question — increasingly answered "maybe not" by the US Copyright Office). The first one is settled. The second is what acquirers and litigators are starting to ask.
AGPL is the strongest copyleft license in mainstream use. It's specifically designed to cover network services, which means deploying an app — not just shipping a binary — can trigger the source-disclosure requirement. AI coding tools occasionally reproduce AGPL-licensed code from their training data. Here's what happens when those two facts collide.