…itive deps

Add [licenses] allow-list to fix 275 blocked-by-default license rejections
(cargo deny v2 rejects all licenses not explicitly allowed when no [licenses]
section is present).

Also ignore three unmaintained-crate advisories from transitive deps we
do not control directly:
- RUSTSEC-2024-0436 (paste, pulled by pgrx)
- RUSTSEC-2025-0134 (rustls-pemfile, pulled by testcontainers/bollard)
- RUSTSEC-2021-0127 (serde_cbor, transitive dev dep)

Warnings for duplicate windows-* crates remain; these are pre-existing
version skews from pgrx + testcontainers dep trees and are already
configured as warn-only.

- Remove stale RUSTSEC-2023-0071 ignore (sqlx mysql dep gone from graph)
- Add [bans] skip entries for duplicate crates that come from upstream
  version skews (pgrx vs testcontainers/bollard/ring) and cannot be
  resolved from this repo
- Remove skip entries that were unmatched on non-Windows platforms
  (windows-* 0.48.x, getrandom 0.2.x, hashbrown 0.12.x are only pulled
  by cfg(windows) deps not active on Linux/macOS)

cargo deny check now exits clean: advisories ok, bans ok, licenses ok, sources ok