chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

decnet/canary/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Canary tokens — decoy artifacts planted in decky filesystems.
 
 Public surface is exported here so callers can ``from decnet.canary

decnet/canary/_obfuscate_helper.js

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
 // Node helper invoked by decnet.canary.obfuscator.
 // Reads {code, options} JSON from stdin, writes obfuscated JS to stdout.
 // Kept dependency-light on purpose: only javascript-obfuscator.

decnet/canary/base.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Canary generator / instrumenter ABCs and the artifact dataclass.
 
 Two flavors of producer share the same return shape:

decnet/canary/cultivator.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Realism contract adapter for canary generators.
 
 Stage 7 of the realism migration.  The orchestrator's planner picks a

decnet/canary/dns_server.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Minimal authoritative DNS server for canary tokens (stdlib only).
 
 We don't need a full resolver — only enough to:

decnet/canary/factory.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Generator and instrumenter factories.
 
 Same lazy-import pattern as :mod:`decnet.intel.factory` — concrete

decnet/canary/fingerprint_payload.js

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
 // Canary fingerprint payload — the JS that runs inside an opened HTML/SVG
 // canary, harvests browser primitives, and beacons the result back to the
 // canary worker.  Ported from canary-self-test.html with the rendering UI

decnet/canary/generators/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Built-in canary generators (synthesised fake artifacts).
 
 Concrete classes live in sibling modules and are imported lazily by

decnet/canary/generators/aws_creds.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``~/.aws/credentials`` block (passive bait).
 
 This is the **passive** variant — no callback wiring.  An attacker

decnet/canary/generators/env_file.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``.env`` with embedded callback URLs.
 
 Modern web stacks read environment variables for everything from

decnet/canary/generators/fingerprint_html.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """HTML fingerprint canary — plausible-looking page with an obfuscated
 browser-fingerprinting payload inlined at the bottom of ``<body>``.
 

decnet/canary/generators/fingerprint_svg.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """SVG fingerprint canary — standalone SVG with an embedded ``<script>``
 that runs the obfuscated fingerprinter when the file is opened directly
 in a browser.

decnet/canary/generators/git_config.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``.git/config`` with an attacker-bait remote URL.
 
 The ``[remote "origin"]`` ``url`` field is the natural place to embed

decnet/canary/generators/honeydoc.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Built-in honeydoc — a minimal HTML "report" with a tracking pixel.
 
 This is the *fallback* honeydoc used when the operator hasn't

decnet/canary/generators/honeydoc_docx.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Real-DOCX honeydoc generator.
 
 Synthesises a minimal but structurally valid DOCX from scratch via

decnet/canary/generators/honeydoc_pdf.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Real-PDF honeydoc generator (uses :mod:`pikepdf`).
 
 Builds a one-page PDF with the same Q3-review body as the HTML/DOCX

decnet/canary/generators/mysql_dump.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake ``mysqldump`` output that phones home on import.
 
 Mirrors the Canarytokens.org MySQL-dump trick.  When a victim runs

decnet/canary/generators/ssh_key.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fake SSH private key with the callback host in the comment.
 
 OpenSSH private keys carry a free-form comment field — typically

decnet/canary/instrumenters/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Built-in canary instrumenters (operator-uploaded artifact mutation).
 
 Lazy-imported by :func:`decnet.canary.factory.get_instrumenter`.

decnet/canary/instrumenters/docx.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """DOCX instrumenter — inject a remote image into the body.
 
 DOCX files are zip archives carrying ``word/document.xml`` (the body)

decnet/canary/instrumenters/html.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """HTML instrumenter — append a 1×1 tracking pixel.
 
 Stdlib-only.  We don't parse the HTML; we just inject the ``<img>``

decnet/canary/instrumenters/image.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Image instrumenter — requires :mod:`PIL` (optional dependency).
 
 For PNG/JPEG/GIF we append a tEXt/EXIF chunk carrying the slug so

decnet/canary/instrumenters/passthrough.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Passthrough instrumenter — bytes go to disk unchanged.
 
 Used as the dispatch fallback for content types we can't safely

decnet/canary/instrumenters/pdf.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """PDF instrumenter — requires :mod:`pikepdf` (optional dependency).
 
 PDF embedding is non-trivial: the cleanest place to put a callback

decnet/canary/instrumenters/plain.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Plain-text / config-file instrumenter.
 
 Two embedding strategies, picked in order:

decnet/canary/instrumenters/xlsx.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """XLSX instrumenter — embed an external-image link.
 
 XLSX is structurally identical to DOCX (Office Open XML zip).  The

decnet/canary/obfuscator.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Per-mint JS obfuscator wrapper.
 
 Thin Python wrapper around the ``javascript-obfuscator`` Node package.

decnet/canary/paths.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Persona-aware path resolution for canary artifacts.
 
 Linux-persona deckies use POSIX-shaped paths under ``/home/<user>``.

decnet/canary/planter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Plant / revoke canary artifacts inside running decky containers.
 
 Single entry point per operation:

decnet/canary/storage.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Filesystem store for operator-uploaded canary blobs.
 
 Blobs live under ``/var/lib/decnet/canary/blobs/<sha256>`` (override

decnet/canary/worker.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """``decnet canary`` worker — HTTP + DNS callback receivers.
 
 Two surfaces, one process: