chore: relicense from AGPL-3.0 to Apache-2.0

[LukasHirt]

Summary

Part of the OSPO-driven migration of ownCloud repositories toward Apache-2.0, following the Apache Software Foundation's third-party license policy (AGPL-3.0 is Category X).

• Replace LICENSE with Apache-2.0 full text
• Update "license" field in all package.json files
• Add REUSE.toml + LICENSES/ for REUSE 3.x compliance
• Add NOTICE with third-party attributions
• Add license-check (reuse lint) and dependency-license-check CI jobs
• Update OCI image label, README badge, and docs

License compliance (REUSE)

Why REUSE?

REUSE is a specification from the FSFE that defines a machine-readable, SPDX-based way to declare copyright and license information for every file in a repository. No more "check the root LICENSE file and hope for the best." It is the standard used by Apache, Eclipse, and the Linux kernel ecosystem for tooling-verifiable compliance. Adding it here means:

• Any downstream consumer or scanner (Black Duck, FOSSA, Dependency Track, etc.) can deterministically identify the license of every file without heuristics.
• The new license-check CI job runs reuse lint on every PR, so compliance regressions are caught before merge rather than discovered in an audit.

Why REUSE.toml?

REUSE.toml is the REUSE 3.x bulk-annotation file. Rather than embedding an SPDX-License-Identifier header in every source file, the .toml declares licensing by path glob — cleaner for a repo that was not REUSE-aware from the start. It covers two cases:

• The entire tree (**) → Apache-2.0, copyright ownCloud GmbH.
• packages/web-app-progress-bars/src/NyanCat.vue → Apache-2.0 AND MIT, because that component derives from the MIT-licensed cristurm/nyan-cat project.

Why the LICENSES/ directory?

The REUSE spec (and SPDX) require that the full license text for every SPDX identifier referenced in the project lives in LICENSES/.txt. This serves two purposes:

1. Offline / air-gapped consumers always have the authoritative license text alongside the source.
2. reuse lint verifies that no identifier is referenced without a corresponding text file, preventing stale or mismatched license declarations.

Two files are therefore required:

• LICENSES/Apache-2.0.txt — the primary project license.
• LICENSES/MIT.txt — required because NyanCat.vue carries a dual Apache-2.0 AND MIT identifier; without it, reuse lint would fail.

[kw-security]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[dj4oC]

LGTM. Before we continue, we need to do two steps:

1. create a final release
2. archive the branch released branch
3. merge

[dj4oC]

LGTM. Before we continue, we need to do two steps:

1. create a final release
2. archive the branch released branch
3. merge

Ping me when these steps are conducted and we can merge.

[LukasHirt]

@dj4oC the latest commit has been released and is also archived in the following branch https://github.com/owncloud/web-extensions/tree/archived/last-agpl-3-commit