Replace `js-green-licenses` with a maintained alternative

[trevor-scheer]

Context

#4240 patches js-green-licenses (jsgl) to fix a regex bug and works around a broken CLI invocation that's been silently no-op'ing the license check for most workspace packages. That unblocks the alpha release PR (#4239), but it leaves us pinned to an archived dependency.

Why replace it

google/js-green-licenses is archived:

• Last release: v4.0.0 (Jan 2023)
• Repo went read-only; 27 open issues and 12+ open PRs sit unanswered
• The exact regex bug we patched in Fix license-check so it actually checks the whole monorepo #4240 has had an open upstream fix (PR #230) since Feb 2024 with zero maintainer engagement

We can't expect any future fixes, including for genuinely new SPDX licenses we'd want to allow.

What to evaluate

A few candidates to compare:

• license-checker-rseidelsohn — actively-maintained fork of the classic license-checker
• @inquirer/license-style scripts wrapping npm-license-checker
• A small in-house script reading package.json license fields directly + an allowlist (likely the simplest given how little jsgl is actually doing for us)

Whatever lands should:

• Walk the whole monorepo (every packages/*/package.json), not just one
• Skip workspace packages so unpublished alpha versions don't break the check
• Have an allowlist mechanism for non-SPDX-but-known-good packages
• Be fast enough for CI (jsgl currently takes ~1m of npm lookups)

Cleanup when this lands

• Remove resources/patches/js-green-licenses+4.0.0.patch
• Drop js-green-licenses from package.json dependencies
• Update js-green-licenses.json schema or replace it with the new tool's config