feat: Add dependency license scanning with licensed

[beanrepo]

Integrate the licensed Ruby gem (v5.0.6) to scan, cache, validate, and report third-party pip dependency licenses across the library and selected container environments.

What's included

• .licensed.yml adds a multi-app licensed configuration for 5 targets:
  • arduino-app-bricks
  • python-base
  • aihub-models-runner
  • gesture-recognition-runner
  • python-apps-base
• .licenses/ adds cached dependency license records for the currently enumerated pip dependencies across the configured apps. Several records were manually normalized from license: none / license: other to reviewed SPDX identifiers when the license text could be reliably identified.
• Taskfile.dist.yml adds:
  • license:headers to keep SPDX headers and top-level license files managed via REUSE
  • license:init-venvs to build the Python virtual environments used by licensed
  • license:cleanup-venvs to remove those environments manually when needed
  • install:licensed to verify/install the Ruby gem
  • license:deps to run licensed cache followed by licensed status
  • an updated license task chaining license:headers -> license:deps
• REUSE.toml excludes .licenses/** from REUSE processing so SPDX strings embedded in cached license texts do not trigger unwanted license downloads.
• .gitignore ignores .licensed-venv-* and containers/*/.licensed-venv/.
• .github/workflows/check-dependency-licenses.yml adds a dedicated PR workflow that:
  • installs Ruby, system dependencies, and Taskfile prerequisites
  • runs task license:deps
  • annotates multiline licensed errors directly in GitHub Actions
  • publishes a structured job summary with:
    • blocking dependency license issues
    • non-blocking dependency installation warnings for the licensed virtualenvs
    • non-blocking cached record updates / outdated dependency versions
  • fails only when licensed status reports actual dependency errors, instead of failing on every cache/version drift case
• .github/workflows/ci-checks.yml keeps license:headers in the main CI flow, while dependency license validation now runs in its dedicated workflow.

Notes

• ai-edge-litert==1.3.0 (gesture-recognition-runner) is arm64-only and is intentionally skipped on unsupported runners; it is surfaced in CI as a non-blocking warning.
• The licensed virtualenvs are kept as ignored local artifacts for reuse and can be removed manually with task license:cleanup-venvs.
• In CI, licensed is installed automatically if needed; locally, the task asks for a manual gem install licensed -v 5.0.6 when the gem is missing.