feat: LICENSE-based allow rules — permit access to upstream repos by license type

[coopernetes]

Problem

OSPO policy commonly permits contributing to any open-source project carrying an approved license (e.g. MIT, Apache-2.0, BSD variants). Today, operators must enumerate every allowed repo slug explicitly in URL rules. For environments with hundreds of upstream FOSS dependencies this is unmaintainable — and misses new repos added over time.

Proposed behaviour

Add a license-aware dimension to URL allow rules. When a rule specifies a `license` condition, the proxy fetches (and caches) the upstream repo's LICENSE file at allow-rule evaluation time and checks the detected SPDX identifier against the configured list or group.

rules:
  allow:
    - operations: [FETCH, PUSH]
      providers: [github]
      license:
        groups: [permissive]       # built-in group: MIT, Apache-2.0, BSD-*, ISC, …

Or with an explicit list:

    - operations: [FETCH]
      providers: [github]
      license:
        spdx: [MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause]

Notes

• Distinct from License policy enforcement: block or warn on pushes based on license groups #82, which enforces license policy on the pushed code's declared licenses. This issue is about matching the upstream repository's LICENSE file to decide whether access is permitted at all.
• License detection should be cached (TTL configurable) to avoid hammering the upstream SCM API on every request.
• Built-in groups should align with common OSPO/appsec vendor categorisations (FOSSA, Black Duck, Snyk defaults): `permissive`, `weak-copyleft`, `strong-copyleft`, `unknown`.
• Operators should be able to define custom groups and override built-in group membership in config (see also the existing `licenseGroups` design in License policy enforcement: block or warn on pushes based on license groups #82).