chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

decnet/ttp/impl/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """TTP tagger implementations — rule engine + per-source lifters.
 
 Subpackage layout per the provider-subpackage convention used in

decnet/ttp/impl/_emit.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Shared TTPTag emission helper used by per-source lifters.
 
 The rule engine assembles a tag inline inside ``_evaluate_rules``; the

decnet/ttp/impl/_rule_index.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Hot-swappable rule registry shared by RuleEngine and per-source lifters.
 
 The dispatch index originally lived inline on

decnet/ttp/impl/_state.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Shared state-modulation helpers for rule consumers.
 
 Both :class:`~decnet.ttp.impl.rule_engine.RuleEngine` and the per-source

decnet/ttp/impl/behavioral_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Behavioral lifter — derives techniques from cross-event session signal.
 
 E.3.9 of ``development/TTP_TAGGING.md``. Owns YAML rules R0031–R0040 by

decnet/ttp/impl/canary_fingerprint_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Canary fingerprint lifter — browser-payload derived technique tagger (E.3.11).
 
 Reads canary-payload fingerprints (navigator properties, canvas hashes,

decnet/ttp/impl/credential_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Credential lifter — credential-capture / reuse / brute-force tagger.
 
 E.3.13 of ``development/TTP_TAGGING.md``. Owns rules whose

decnet/ttp/impl/email_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Email lifter — SMTP message-level technique tagger (E.3.12).
 
 Reads pre-parsed SMTP message payload (headers as a name-only list,

decnet/ttp/impl/http_fingerprint_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """HTTP fingerprint lifter — JA4H / H2-settings / H3-settings / JA4-QUIC tagger.
 
 Reads ``http_fingerprint`` source-kind events and emits Reconnaissance

decnet/ttp/impl/identity_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Identity lifter — cross-attacker identity-rollup tagger.
 
 E.3.13 of ``development/TTP_TAGGING.md``. Owns rules whose

decnet/ttp/impl/intel_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Intel lifter — opportunistic third-party verdict translator (E.3.10).
 
 Reads ``AttackerIntel``-derived payload fields and emits ATT&CK

decnet/ttp/impl/ipv6_leak_lifter.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """IPv6 link-local leak lifter — opsec-failure tagger (R0059).
 
 Reads ``ipv6_leak`` source-kind events emitted by the passive sniffer

decnet/ttp/impl/rule_engine.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Rule engine contract — `CompiledRule`, `RuleEngine`, `RuleSchema`.
 
 Contract step E.1.5 of ``development/TTP_TAGGING.md``. Shape only — no