Use SPDX license identifiers in go.mod and add test to enforce them

[pietern]

Summary

• Normalize all license comments in go.mod to use standard SPDX identifiers (e.g. Apache 2.0 → Apache-2.0, BSD 3-Clause → BSD-3-Clause)
• Use MIT AND Apache-2.0 for go.yaml.in/yaml/v3 (different files under different licenses)
• Add internal/build/license_test.go that parses go.mod with x/mod/modfile and validates every direct dependency has a valid SPDX license comment

Test plan

• go test ./internal/build/ -run TestRequireSPDXLicenseComment passes
• Cross-checked all 38 license comments against upstream LICENSE files

This pull request was AI-assisted by Isaac.

[simonfaltum]

Do we have somehow enforce this test?

[pietern]

@simonfaltum WDYM?

I'm adding another one that verifies that our NOTICE file is up to date. Using normalized license names makes that easier/unambigous.

[simonfaltum]

@simonfaltum WDYM?

I'm adding another one that verifies that our NOTICE file is up to date. Using normalized license names makes that easier/unambigous.

I was just not sure it would run as part of the automatic test suite

[pietern]

Got it, yeah it does:

cli/Makefile

Line 5 in cf6e193

TEST_PACKAGES = ./acceptance/internal ./libs/... ./internal/... ./cmd/... ./bundle/... ./experimental/ssh/... .