Remove dependency on pb33f/doctor - no open source license

[ivankatliarchuk]

The pb33f/doctor repository currently has no LICENSE file and GitHub reports the license as NOASSERTION. This means the project is technically "all rights reserved" and cannot be safely used as a dependency by projects that require open source licensing.

Organizations with license compliance requirements (e.g. the Kubernetes project, CNCF) cannot adopt vacuum or any tool that transitively depends on it, because all dependencies must carry an OSI-approved open source license.

For reference, all other pb33f dependencies used by vacuum (libopenapi, libopenapi-validator, ordered-map) are MIT-licensed.

The features and functionalities are great, but unfortunately we could not use it. Removed recently from our project due to licencing kubernetes-sigs/external-dns#5955

Impact

pb33f/doctor is deeply integrated across ~117 files in vacuum, providing:

• DrDocument — high-level typed document wrapper used in RuleFunctionContext and RuleSetExecution
• v3.* types — Foundational, Schema, SecurityScheme, etc. with GenerateJSONPath() used in nearly every rule function
• LocateModelsByKeyAndValue / LocateModelByLine — used for component path resolution and change filtering
• changerator — powers --original / --changes-summary change detection
• renderer.TreeRenderer / terminal.ColorScheme — change tree rendering

[daveshanley]

What license would you find acceptable in the doctor?

I control the stack.

[daveshanley]

OK, so I just permanently changed the license for the doctor to Apache 2.0.

I was planning on it some time ago; this is the first time it's come up.

[ivankatliarchuk]

Thank you. Yeah, that was a suprise to me too. We were using vacuum as a support tool to lint OpenAPI specs, not a direct dependency in the code, but even then was forced to remove from the project.

[daveshanley]

I hope I can tempt you to reintroduce it?

K8s/CNCF is a great customer to have!

[ivankatliarchuk]

Yeap. I'll share update in k8s slack.

[daveshanley]

Just for anyone reviewing this in the future. The Doctor is an integral part of vacuum, it cannot and will never be removed, but in order to make the stack fully FOSS, I have moved the license for pb33f/doctor to Apache 2.0 (from BUSL 1.)