chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

decnet/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """DECNET — honeypot deception-network framework.
 
 This __init__ runs once, on the first `import decnet.*`. It seeds

decnet/agent/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """DECNET worker agent — runs on every SWARM worker host.
 
 Exposes an mTLS-protected FastAPI service the master's SWARM controller

decnet/agent/app.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Worker-side FastAPI app.
 
 Protected by mTLS at the ASGI/uvicorn transport layer: uvicorn is started

decnet/agent/executor.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Thin adapter between the agent's HTTP endpoints and the existing
 ``decnet.engine.deployer`` code path.
 

decnet/agent/heartbeat.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Agent → master liveness heartbeat loop.
 
 Every ``INTERVAL_S`` seconds the worker posts ``executor.status()`` to

decnet/agent/server.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Worker-agent uvicorn launcher.
 
 Starts ``decnet.agent.app:app`` over HTTPS with mTLS enforcement.  The

decnet/agent/topology_ops.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Agent-side topology apply/teardown/state primitives.
 
 Wraps the compose + bridge machinery from :mod:`decnet.engine.deployer`

decnet/agent/topology_store.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Agent-side sqlite cache of the currently-applied topology.
 
 **This is a cache, not a source of truth.**  The master is the only

decnet/archetypes.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Machine archetype profiles for DECNET deckies.
 

decnet/asn/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 IP-to-ASN enrichment — maps attacker IPs to BGP-announced AS numbers and
 org names for attacker intelligence.

decnet/asn/base.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """ASN provider protocol — mirror of :mod:`decnet.geoip.base`.
 
 Concrete providers (e.g. :mod:`decnet.asn.iptoasn`) implement this.

decnet/asn/factory.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """ASN provider factory — mirror of :mod:`decnet.geoip.factory`.
 
 Dispatch key: ``DECNET_ASN_PROVIDER`` (default ``iptoasn``). Lazy

decnet/asn/iptoasn/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """iptoasn.com IP→ASN provider.
 
 Daily-refreshed gzipped TSV dump of the global BGP table, derived from

decnet/asn/iptoasn/fetch.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """iptoasn.com bulk dump download.
 
 One file: ``ip2asn-v4.tsv.gz``, ~5 MB compressed, refreshed daily.

decnet/asn/iptoasn/parse.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Parser for the iptoasn.com ``ip2asn-v4.tsv`` dump.
 
 Line shape (gzipped, one row per BGP-announced prefix)::

decnet/asn/iptoasn/provider.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """iptoasn provider — orchestrates fetch + parse into an :class:`AsnLookup`.
 
 Mirrors :class:`decnet.geoip.rir.provider.RirProvider` exactly: fetch,

decnet/asn/lookup.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Provider-agnostic IP→ASN lookup.
 
 A :class:`AsnLookup` is a frozen, sorted array of ``(start_ip,

decnet/asn/paths.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Filesystem layout for ASN data — mirror of :mod:`decnet.geoip.paths`.
 
 ``ASN_ROOT`` is where providers drop their raw files and cache indexes.

decnet/bus/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """DECNET ServiceBus — pub/sub notification substrate.
 
 The bus is the notification layer for DECNET's worker constellation.  The DB

decnet/bus/app.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Process-wide bus singleton for request-serving workers (API, SSE routes).
 
 A single connected :class:`~decnet.bus.base.BaseBus` shared across request

decnet/bus/base.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Bus abstractions: the :class:`Event` envelope and the :class:`BaseBus` ABC.
 
 Every transport (NATS, in-process fake, null) speaks this contract.  The

decnet/bus/factory.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Bus factory — selects a :class:`~decnet.bus.base.BaseBus` implementation.
 
 Dispatch key: the ``DECNET_BUS_TYPE`` environment variable.

decnet/bus/fake.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """In-process bus transports.
 
 * :class:`FakeBus` — real pub/sub semantics without touching a socket.  Used

decnet/bus/protocol.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Wire protocol for the DECNET bus UNIX-socket transport.
 
 Frame layout:

decnet/bus/publish.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fire-and-forget publish helpers shared across every worker.
 
 Lifted out of ``decnet/mutator/engine.py`` once a second caller showed up

decnet/bus/topics.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Canonical topic hierarchy for the DECNET ServiceBus.
 
 Locked early so consumers can subscribe with stable wildcard patterns.

decnet/bus/unix_client.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """UNIX-socket client — :class:`UnixSocketBus` implementation of :class:`BaseBus`.
 
 Holds one open socket to the local :class:`~decnet.bus.unix_server.BusServer`.

decnet/bus/unix_server.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """UNIX-socket server for the DECNET bus.
 
 One :class:`BusServer` per host.  Accepts local connections on a UNIX-domain

decnet/bus/worker.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """``decnet bus`` worker entrypoint.
 
 Starts a :class:`~decnet.bus.unix_server.BusServer` on the configured UNIX

decnet/canary/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Canary tokens — decoy artifacts planted in decky filesystems.
 
 Public surface is exported here so callers can ``from decnet.canary

decnet/canary/_obfuscate_helper.js

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
 // Node helper invoked by decnet.canary.obfuscator.
 // Reads {code, options} JSON from stdin, writes obfuscated JS to stdout.
 // Kept dependency-light on purpose: only javascript-obfuscator.

decnet/canary/base.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Canary generator / instrumenter ABCs and the artifact dataclass.
 
 Two flavors of producer share the same return shape:

decnet/canary/cultivator.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Realism contract adapter for canary generators.
 
 Stage 7 of the realism migration.  The orchestrator's planner picks a

decnet/canary/dns_server.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Minimal authoritative DNS server for canary tokens (stdlib only).
 
 We don't need a full resolver — only enough to:

decnet/canary/factory.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Generator and instrumenter factories.
 
 Same lazy-import pattern as :mod:`decnet.intel.factory` — concrete

decnet/canary/fingerprint_payload.js

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
 // Canary fingerprint payload — the JS that runs inside an opened HTML/SVG
 // canary, harvests browser primitives, and beacons the result back to the
 // canary worker.  Ported from canary-self-test.html with the rendering UI

decnet/canary/generators/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Built-in canary generators (synthesised fake artifacts).
 
 Concrete classes live in sibling modules and are imported lazily by

decnet/canary/generators/aws_creds.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``~/.aws/credentials`` block (passive bait).
 
 This is the **passive** variant — no callback wiring.  An attacker

decnet/canary/generators/env_file.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``.env`` with embedded callback URLs.
 
 Modern web stacks read environment variables for everything from

decnet/canary/generators/fingerprint_html.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """HTML fingerprint canary — plausible-looking page with an obfuscated
 browser-fingerprinting payload inlined at the bottom of ``<body>``.
 

decnet/canary/generators/fingerprint_svg.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """SVG fingerprint canary — standalone SVG with an embedded ``<script>``
 that runs the obfuscated fingerprinter when the file is opened directly
 in a browser.

decnet/canary/generators/git_config.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``.git/config`` with an attacker-bait remote URL.
 
 The ``[remote "origin"]`` ``url`` field is the natural place to embed

decnet/canary/generators/honeydoc.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Built-in honeydoc — a minimal HTML "report" with a tracking pixel.
 
 This is the *fallback* honeydoc used when the operator hasn't

decnet/canary/generators/honeydoc_docx.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Real-DOCX honeydoc generator.
 
 Synthesises a minimal but structurally valid DOCX from scratch via

decnet/canary/generators/honeydoc_pdf.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Real-PDF honeydoc generator (uses :mod:`pikepdf`).
 
 Builds a one-page PDF with the same Q3-review body as the HTML/DOCX

decnet/canary/generators/mysql_dump.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``mysqldump`` output that phones home on import.
 
 Mirrors the Canarytokens.org MySQL-dump trick.  When a victim runs

decnet/canary/generators/ssh_key.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake SSH private key with the callback host in the comment.
 
 OpenSSH private keys carry a free-form comment field — typically

decnet/canary/instrumenters/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Built-in canary instrumenters (operator-uploaded artifact mutation).
 
 Lazy-imported by :func:`decnet.canary.factory.get_instrumenter`.

decnet/canary/instrumenters/docx.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """DOCX instrumenter — inject a remote image into the body.
 
 DOCX files are zip archives carrying ``word/document.xml`` (the body)

decnet/canary/instrumenters/html.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """HTML instrumenter — append a 1×1 tracking pixel.
 
 Stdlib-only.  We don't parse the HTML; we just inject the ``<img>``

decnet/canary/instrumenters/image.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Image instrumenter — requires :mod:`PIL` (optional dependency).
 
 For PNG/JPEG/GIF we append a tEXt/EXIF chunk carrying the slug so

decnet/canary/instrumenters/passthrough.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Passthrough instrumenter — bytes go to disk unchanged.
 
 Used as the dispatch fallback for content types we can't safely

decnet/canary/instrumenters/pdf.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """PDF instrumenter — requires :mod:`pikepdf` (optional dependency).
 
 PDF embedding is non-trivial: the cleanest place to put a callback

decnet/canary/instrumenters/plain.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Plain-text / config-file instrumenter.
 
 Two embedding strategies, picked in order:

decnet/canary/instrumenters/xlsx.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """XLSX instrumenter — embed an external-image link.
 
 XLSX is structurally identical to DOCX (Office Open XML zip).  The

decnet/canary/obfuscator.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Per-mint JS obfuscator wrapper.
 
 Thin Python wrapper around the ``javascript-obfuscator`` Node package.

decnet/canary/paths.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Persona-aware path resolution for canary artifacts.
 
 Linux-persona deckies use POSIX-shaped paths under ``/home/<user>``.

decnet/canary/planter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Plant / revoke canary artifacts inside running decky containers.
 
 Single entry point per operation:

decnet/canary/storage.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Filesystem store for operator-uploaded canary blobs.
 
 Blobs live under ``/var/lib/decnet/canary/blobs/<sha256>`` (override

decnet/canary/worker.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """``decnet canary`` worker — HTTP + DNS callback receivers.
 
 Two surfaces, one process:

decnet/cli/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 DECNET CLI — entry point for all commands.
 

decnet/cli/agent.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import os

decnet/cli/api.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import os

decnet/cli/bus.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import typer

decnet/cli/canary.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """``decnet canary`` — HTTP + DNS callback receiver for canary tokens.
 
 Two entry points share this module:

decnet/cli/db.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 from typing import Optional

decnet/cli/deploy.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 from typing import Optional

decnet/cli/forwarder.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import asyncio

decnet/cli/gating.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Role-based CLI gating.
 
 MAINTAINERS: when you add a new Typer command (or add_typer group) that is

decnet/cli/geoip.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GeoIP CLI — refresh and lookup subcommands (master-only).
 
 Usage::

decnet/cli/init.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 `decnet init` — one-shot master-host bootstrap.
 

decnet/cli/inventory.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import typer

decnet/cli/lifecycle.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import subprocess  # nosec B404

decnet/cli/listener.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import asyncio

decnet/cli/orchestrator.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 from typing import Optional

decnet/cli/profiler.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import typer

decnet/cli/realism.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """``decnet realism ...`` — content-engine maintenance commands.
 
 After stage 5 of the realism migration, this is the only remaining

decnet/cli/reconciler.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import typer

decnet/cli/sniffer.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import typer

decnet/cli/swarm.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """`decnet swarm ...` — master-side operator commands (HTTP to local swarmctl)."""
 
 from __future__ import annotations

decnet/cli/swarmctl.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import os

decnet/cli/topology.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """MazeNET topology CLI: generate / deploy / teardown / list / show."""
 from __future__ import annotations
 

decnet/cli/ttp.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """``decnet ttp`` — TTP-tagging worker and admin commands.
 
 Two flat commands share this module:

decnet/cli/updater.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import pathlib as _pathlib

decnet/cli/utils.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Shared CLI helpers: console, logger, process management, swarm HTTP client.
 
 Submodules reference these as ``from . import utils`` then ``utils.foo(...)``

decnet/cli/web.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import typer

decnet/cli/webhook.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 import typer

decnet/cli/workers.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 from __future__ import annotations
 
 from typing import Optional

decnet/clustering/__init__.py

@@ -1 +1,2 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Campaign clustering — see development/CAMPAIGN_CLUSTERING.md."""

decnet/clustering/base.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Identity-resolution clusterer protocol.
 
 Each concrete clusterer (``decnet.clustering.impl.connected_components``,

decnet/clustering/campaign/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Campaign clusterer — groups resolved identities into operations.
 
 The layer above identity resolution. See

decnet/clustering/campaign/base.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Campaign clusterer protocol — layer above identity resolution.
 
 Mirrors :mod:`decnet.clustering.base` for the layer above. Each concrete

decnet/clustering/campaign/factory.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Campaign-clusterer factory.
 
 Mirrors :mod:`decnet.clustering.factory` for the campaign layer.

decnet/clustering/campaign/impl/__init__.py

@@ -0,0 +1 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later

decnet/clustering/campaign/impl/connected_components.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Connected-components campaign clusterer (v1).
 
 Builds a similarity graph over identities (the layer below — already

decnet/clustering/campaign/impl/similarity.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Similarity-graph primitives for the campaign clusterer.
 
 The campaign clusterer reads ``AttackerIdentity`` rows (the layer below)

decnet/clustering/campaign/worker.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Long-running campaign-clusterer worker.
 
 Mirrors :mod:`decnet.clustering.worker` for the layer above. Bus-woken

decnet/clustering/factory.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Clusterer factory.
 
 Returns the active :class:`~decnet.clustering.base.Clusterer` instance.

decnet/clustering/impl/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Concrete clusterer implementations.
 
 Each module here contains exactly one :class:`~decnet.clustering.base.Clusterer`

decnet/clustering/impl/connected_components.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Connected-components identity clusterer (v1).
 
 Builds a similarity graph over observations (per-IP attacker rows),