licensing: add Apache 2.0 (LICENSE, NOTICE, SPDX headers)

[salindne]

Summary

Brings the canton-middleware repo into compliance with the licensing
posture committed to in the upcoming CIP56/ERC-20 Middleware grant
proposal: all first-party deliverables released under Apache License
2.0, with SPDX headers in every source file and a root NOTICE
enumerating third-party software.

This is the canton-middleware piece of a broader rollout; parallel PRs
follow against the linked submodule repositories
(ChainSafe/canton-erc20, ChainSafe/canton-wayfinder) and the
canton-snap repository.

Commits in this PR

1. licensing: add root LICENSE (Apache 2.0) — verbatim text from
   https://www.apache.org/licenses/LICENSE-2.0.txt.
2. licensing: add NOTICE enumerating third-party licenses — direct
   Go dependencies from go.mod with copyright attributions.
3. licensing: add SPDX headers to Go source — 192 files in cmd/ and
   pkg/, plus the helper script scripts/dev/add-spdx-headers.sh
   used to seed and re-apply headers idempotently. Generated code
   (protobuf in pkg/cantonsdk/lapi/v2/, abigen bindings in
   pkg/ethereum/contracts/, mockery-generated mocks) is skipped.
4. licensing: add SPDX headers to scripts and Dockerfiles — 20 shell
   scripts and 4 Dockerfiles.
5. licensing: update README license section — replaces the
   [License details here] placeholder.
6. licensing: restore executable bit on shell scripts — fixes mode
   regression introduced by commit Fix/canton v2 api compatibility #4.
7. licensing: preserve file mode in SPDX-header helper script —
   helper script now uses cat tmp > file instead of mv tmp file so
   subsequent runs preserve target permissions.
8. licensing: drop unrelated WIP scripts pulled in by an earlier git add — removes three untracked working files in
   scripts/testing/ that got swept into commit Production Authentication Implementation #6 by accident; none
   existed on main.

Out of scope

• The three submoduled repositories at contracts/canton-erc20,
  contracts/ethereum-wayfinder, and the externally-located
  canton-snap repository. Each gets its own PR.
• The AGPL-3.0 transitive submodule (halmos-cheatcodes under
  openzeppelin-contracts): confirmed dormant, not referenced by any
  first-party source, test, or foundry.toml.

Test plan

• go build ./... succeeds.
• go vet ./... clean.
• go test -count=1 -run='^$' ./... (all test files compile).
• CI E2E Tests, PR Lint, PR Test all pass.

[gemini-code-assist]

Code Review

This pull request adds SPDX-License-Identifier headers to first-party source files, including Go files, shell scripts, and Dockerfiles, and introduces a helper script add-spdx-headers.sh to automate this process. Two critical issues were identified in the helper script where using mv to replace files causes them to lose their original file permissions (such as the executable bit on shell scripts). It is recommended to redirect the temporary file contents back into the original file instead.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@1431b48). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #283   +/-   ##
=======================================
  Coverage        ?   31.28%           
=======================================
  Files           ?      131           
  Lines           ?    10179           
  Branches        ?        0           
=======================================
  Hits            ?     3185           
  Misses          ?     6724           
  Partials        ?      270           

Flag	Coverage Δ
unittests	31.28% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
pkg/app/api/server.go	0.00% <ø> (ø)
pkg/app/errors/errors.go	0.00% <ø> (ø)
pkg/app/http/handler.go	0.00% <ø> (ø)
pkg/app/http/middleware.go	0.00% <ø> (ø)
pkg/app/http/server.go	0.00% <ø> (ø)
pkg/app/indexer/server.go	0.00% <ø> (ø)
pkg/app/relayer/server.go	0.00% <ø> (ø)
pkg/auth/canton.go	0.00% <ø> (ø)
pkg/auth/context.go	0.00% <ø> (ø)
pkg/auth/evm.go	0.00% <ø> (ø)
... and 121 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[salindne]

Addressed by commit 0a11e10 — prepend_top and insert_after_shebang now write via cat tmp > file (preserves mode) instead of mv tmp file (adopts mktemp's 0600). Commit cbbcd74 restored the executable bit on the 19 affected shell scripts. E2E Tests is now passing.

[salindne]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces Apache 2.0 license headers across the codebase, adds an automation script to manage these headers, and implements three new Go-based testing scripts (send-usdcx-direct.go, send-usdcx-transfer.go, and withdraw-via-interface.go) to facilitate direct token transfers and withdrawals. The review feedback highlights several opportunities to improve the robustness and efficiency of these new scripts, specifically by replacing inefficient fmt.Sscanf calls with strconv.ParseFloat, adding a missing AV_Map case to encodeAnyValue for parity, and properly handling ignored errors from io.ReadAll when reading HTTP response bodies.

[dhyaniarun1993]

It looks like you have added some extra scripts that aren’t related to the license changes. If that was unintentional, could you please remove them? Other than that, everything looks good to me.