Adopt Apache-2.0 OR MIT dual license; gate CI on license audit

[plx]

Description

Reconciles trop's license metadata, adopts the standard Rust Apache-2.0 OR MIT dual license, and adds a blocking CI license-audit job.

Type of Change

• Documentation update
• CI/CD improvements
• Bug fix (clippy regressions on Rust 1.95.0)

Motivation and Context

The project's LICENSE file carried BSD-3-Clause text while both Cargo.toml files declared license = "MIT" — an inconsistency that needed resolution. An audit of the 163-crate distributable dependency tree confirmed that Apache-2.0 OR MIT (the de-facto Rust standard) is fully compatible with every dep, including the three constraining ones (unicode-bom, sha1_smol, ryu), so we adopt that.

To prevent future drift between the license claim and the actual third-party obligations, this PR also wires in cargo-about and a CI check that fails if the generated THIRD_PARTY_LICENSES.md is stale.

Implementation Details

• License files: LICENSE is now a short pointer to the dual license; LICENSE-APACHE carries the full Apache 2.0 text; LICENSE-MIT carries the standard MIT text. Both Cargo.tomls declare license = "Apache-2.0 OR MIT".
• cargo-about: about.toml lists accepted SPDX IDs and the five target triples we support (Linux x86_64/aarch64, macOS x86_64/arm64, Windows x86_64-msvc) so generation is deterministic across machines. about.hbs is the Handlebars template (uses triple-brace expressions to skip HTML escaping in license text).
• THIRD_PARTY_LICENSES.md: ~187 KB generated artifact, committed so CI has something to diff against. Counts: 227 MIT, 19 Unicode-3.0, 10 Apache-2.0, 1 BSD-3-Clause.
• Just recipes: just licenses regenerates; just ci-check-licenses regenerates into a temp file and unified-diffs against the committed copy with a helpful error on mismatch.
• CI job: New licenses job uses taiki-e/install-action@v2 for a cached prebuilt cargo-about. Added to needs: of the test matrix, so the entire test job blocks on it.
• Pre-existing clippy fixes: Rust 1.95.0 introduced duration_suboptimal_units and tightened map_unwrap_or. Trivial fixes in database/config.rs and reservation.rs (4 lines total) so this PR's CI passes.

Testing

• All existing tests pass locally (just preflight-pr green)
• Manual testing performed (regenerated and verified deterministic across runs; tampered with the file and confirmed ci-check-licenses rejects)

Platform Compatibility

• Linux (CI matrix)
• macOS (local + CI matrix)
• Windows (CI matrix)

Checklist

• Code follows the project's style guidelines (cargo fmt --check passes)
• No compiler warnings (cargo clippy passes)
• Documentation updated (README, AGENTIC_NAVIGATION_GUIDE)
• All CI checks expected to pass

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5a09f5231f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Disable external license lookups in reproducibility gate

about.toml does not set no-clearly-defined = true, so cargo about generate will query clearlydefined.io by default; cargo-about’s own docs note that this external data can change or be temporarily unavailable for the same dependency graph. Because ci-check-licenses diffs generated output against committed THIRD_PARTY_LICENSES.md, this introduces nondeterministic, unrelated CI failures in the new blocking licenses gate. Configure generation to avoid external lookups (or otherwise pin the source) so the check is stable.

Useful? React with 👍 / 👎.