Change project license from CC0 to Apache 2.0

[danielnaab]

Summary

This updates the project license from Creative Commons Zero (CC0) to the Apache License, Version 2.0.

• Added a standard LICENSE file containing the full Apache 2.0 license text
• Updated the license field from "CC0" to "Apache-2.0" across all 9 package.json files that declared it

The Apache 2.0 license provides explicit patent grants and contribution terms while remaining a widely adopted, permissive open-source license. GitHub will automatically detect the new license from the LICENSE file.

Test plan

• Verify the LICENSE file renders correctly on the repository landing page
• Confirm GitHub displays "Apache-2.0" as the detected license

[changeset-bot]

⚠️ No Changeset found

Latest commit: bd60620

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

Code Review: License Change CC0 → Apache 2.0

Overview

This PR changes the project license from Creative Commons Zero (CC0) to Apache License 2.0. The change consists of two parts: adding a LICENSE file with the full Apache 2.0 text, and updating the license field in all 9 package.json files that declared it.

---

Correctness

Coverage is complete. I verified that the 9 updated package.json files are the only ones in the monorepo that declare a "license" field. The remaining packages (apps/spotlight, packages/design, packages/server, e2e, infra/aws-cdk, infra/cdktf) do not have a license field and are correctly omitted.

No stale CC0 references remain in any .md or documentation files.

The SPDX identifier "Apache-2.0" is correct — it's the canonical identifier for npm and GitHub's license detection.

---

Issues

Minor: Leading blank line in LICENSE

The LICENSE file starts with a blank line before Apache License:

(blank line)
                                 Apache License
                           Version 2.0, January 2004

The canonical Apache 2.0 text from apache.org does not include this leading blank line. While GitHub will still correctly detect the license, it's worth trimming for cleanliness.

---

Suggestions / Considerations

No NOTICE file

Apache 2.0 (Section 4(d)) specifies that redistributors must include a readable copy of any existing NOTICE file. Adding a NOTICE file is optional but is common practice for Apache-licensed projects — it's the conventional place to record copyright ownership and attribution:

10x Forms Platform
Copyright [year] Flexion, Inc. (or the appropriate legal entity)

This is not a blocker, but worth discussing with your legal/policy team given that this is a government platform.

No per-file copyright headers

Apache 2.0 recommends (but does not require) adding a copyright/license header to each source file (as shown in the LICENSE Appendix). For a project of this scope, omitting them is common and acceptable — but if the project ever needs to assert ownership or meet agency IP requirements, per-file headers become valuable. This is a "nice to have" rather than a gap.

Appendix placeholder text is intentional

The Copyright [yyyy] [name of copyright owner] text at the end of the LICENSE file (line 188) is the standard Apache 2.0 boilerplate instructions for users of the license who want to apply it to their own files. This is correct and does not need to be filled in.

---

Summary

Area	Status
Package.json coverage	All 9 files correctly updated
SPDX identifier	Correct (Apache-2.0)
LICENSE text	Canonical Apache 2.0 ✓ (minor leading blank line)
Stale CC0 references	None remaining
NOTICE file	Not added (optional, worth considering)
Per-file headers	Not added (acceptable)

This is a clean, well-scoped change. The only concrete suggestion is to remove the leading blank line from the LICENSE file. Everything else is either correct or a policy-level decision for the team.

Review generated with Claude Code

[claude]

Code Review: License Change CC0 to Apache 2.0

Overview

This PR replaces Creative Commons Zero (CC0) with Apache License 2.0 across the monorepo. It adds a canonical LICENSE file and updates the license field in 9 package.json files.

What is Done Well

• The LICENSE file contains the verbatim, unmodified Apache 2.0 text — correct practice and what GitHub license detection expects.
• SPDX identifier Apache-2.0 is used in all package.json files — correct per SPDX spec and npm conventions.
• Root package.json plus all sub-packages that carried the old CC0 field are updated consistently.

Concerns

1. Potentially Missing Packages

Based on the monorepo structure in CLAUDE.md, the following workspaces do not appear in this diff: packages/design, packages/server, apps/spotlight, infra/aws-cdk, infra/cdktf.

The PR description says "9 package.json files that declared it" — implying only files that already had "license": "CC0" were changed. If those missing packages lack a license field entirely, adding "license": "Apache-2.0" would improve consistency for npm publish and license scanners. Please verify and either update them or document why they are excluded.

2. Retroactive Relicensing (Legal Concern — Blocking)

Changing from CC0 to Apache 2.0 is a substantive legal change, not a metadata tweak. CC0 is a public domain dedication; Apache 2.0 imposes conditions (attribution, patent termination clause) that CC0 does not. Code already contributed under CC0 cannot be unilaterally relicensed without contributor consent.

Before merging, please confirm all contributors have agreed to the new license — via a CLA, explicit consent, or because all contributions come from a single rights holder. This is especially important for a government-adjacent project where IP ownership may have specific requirements.

3. Unfilled Placeholder in LICENSE Appendix

The LICENSE file includes the standard Apache 2.0 appendix with the template line Copyright [yyyy] [name of copyright owner]. This is acceptable — the appendix is instructional text, not the project copyright statement, and many projects leave it verbatim. But if there is an official copyright holder (e.g., Flexion Inc. or a federal agency), filling this in or adding a NOTICE file would clarify the attribution chain for downstream consumers.

4. No NOTICE File

Apache 2.0 Section 4(d) references a NOTICE file for attribution notices. Not required if no attributions exist, but it is conventional practice for Apache-licensed projects. Consider adding a minimal NOTICE file.

Summary

Item	Status
LICENSE text correctness	Verbatim Apache 2.0 ✓
SPDX identifiers in package.json	Correct ✓
Coverage of all packages	Verify missing packages ⚠
Contributor relicensing consent	Must confirm before merge ⚠
NOTICE file	Optional but recommended
Copyright placeholder	Acceptable as-is; consider filling in

The mechanical changes are clean and correct. The primary concern before merging is confirming that contributor consent for the relicensing has been obtained.