Right, except AGPL is a propagating license, just like GPL. Because Nighthawk wallet links with it, it must also be AGPL, yet Nighthawk is currently licensed as Apache 2.0. That’s why I said Nighthawk would be in violation of its licensing terms.
Section 5 (source) has the following quotes:
“You may convey a work based on the Program”
" * c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it."
Despite you using iText7 as a compiled JAR (presumably), it’s directly linked into your app which has the modern interpretation of the GPL consider your work derivative. You also are conveying source (Nighthawk) based on iText7 (as you are conveying source based on the “Program”, and the license doesn’t require it to be based on the “Program’s source”). If you had sandboxed it in an isolated app, solely that app would be AGPL, yet the direct linkage is generally considered to be pretty damning. You could get an exception, yet that exception (if limited to the group behind Nighthawk) could void Nighthawk as an OSS project due to the inability to fork off from it without relicensing (it may be legal for someone to fork Apache 2.0 work and relicense as AGPL without permission? I’m not entirely sure as AGPL should be more restrictive and therefore still honor Apache 2.0 but… it’s just a complete and utter mess to discuss).
IANAL. You should absolutely get a lawyer to review this. I wouldn’t touch the Nighthawk codebase, personally, with a ten foot stick until a lawyer confirms the legality of this. You can say iText 7 has yet to complain so you don’t care yet that’s really not a healthy solution (as it means iText 7 has the power to remove your app at any time, leaving you to fight them while the DMCA claim is active, potentially leading to a lawsuit in their jurisdiction).
I’ll also note your app, despite providing a UI, doesn’t appear to have any copyright statements in it.
" * d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so."
I don’t believe iText 7, a library, has UIs so that exemption shouldn’t apply, but I could be wrong as I haven’t worked with iText 7. My main focus is on the fact that Nighthawk doesn’t display any legal notices AFAICT. It seems to be the main page, an info button linking to Zcash, a ‘profile’ page (which has a box saying “Nighthawk” + version yet tapping it doesn’t expand it for more info), and settings, all without copyright statements. This may have issues for other libraries you use if they’re BSD-3/GPL.
EDIT: For further reading reference:
licensing - AGPL - what you can do and what you can't - Software Engineering Stack Exchange ← Says your work must be AGPL no matter what.
licensing - Use of Unmodified AGPLv3 lib - am I AGPL too? - Software Engineering Stack Exchange ← Says your work must be AGPL unless the AGPL code is sandboxed in another binary (as GPL code generally is when dealing with these problems). The first link contradicts that by saying even that isn’t enough, as the AGPL was intended to avoid web based license exploits (you’re never distributing the app, and therefore having users who you’re responsible to under these licenses, if you’re solely distributing a website which makes POST requests to your app). I believe as long as you still communicate the AGPL licensing of the other binary in your non-AGPL app, you can have a non-AGPL app.
The best reference may be Frequently Asked Questions about the GNU Licenses - GNU Project - Free Software Foundation which seems to say it’s okay for Nighthawk itself to be Apache 2.0 (as it’s GPLv3 compatible) AS LONG AS it’s also licensed as GPLv3 and the sum product is released as a GPL binary (in contradiction to some of my commentary and parts of these other links). The distinction is you’re not currently releasing it as a GPL binary (see comments on copyright inclusion).
Various Licenses and Comments about Them - GNU Project - Free Software Foundation and the AGPL section 13 seem to confirm this.
It’s all a mess. This is why I’d get a lawyer to review this and give you a statement you can have ready for these discussions.