chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

decnet/web/db/models/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Database tables (SQLModel) and HTTP request/response shapes (Pydantic).
 

decnet/web/db/models/_base.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Shared column/validator helpers used across model domain modules."""
 from datetime import datetime
 from typing import Annotated, Any, Optional

decnet/web/db/models/attachments.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Observed-attachment intel — purpose-built table for the per-hash
 keyspace of attachments delivered by attackers.
 

decnet/web/db/models/attacker_intel.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Threat-intel enrichment row — one per attacker IP, TTL-cached."""
 from datetime import datetime, timezone
 from typing import Any, Optional

decnet/web/db/models/attackers.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Attacker core + per-attacker behavioral rows.
 
 Per-session keystroke-dynamics fingerprints have moved out of this

decnet/web/db/models/attribution_state.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Per-(identity, primitive) attribution state — v0 of the
 attribution engine.
 

decnet/web/db/models/auth.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Auth + user-management tables and DTOs."""
 from typing import List, Literal
 

decnet/web/db/models/campaigns.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Campaign — operation-level grouping of resolved attacker identities."""
 from datetime import datetime, timezone
 from typing import Any, List, Optional

decnet/web/db/models/canary.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Canary token tables + CRUD DTOs.
 
 Canary tokens are decoy artifacts (operator-uploaded honeydocs / synthesised

decnet/web/db/models/common.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Generic response shapes used across multiple router domains."""
 from __future__ import annotations
 

decnet/web/db/models/decky.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """DTOs for cross-cutting decky operations (file drops, etc.).
 
 These don't bind to a single table — fleet deckies and MazeNET

decnet/web/db/models/decky_lifecycle.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """DeckyLifecycle table + DTOs.
 
 Tracks one row per (decky, operation) attempt — `deploy` or `mutate` —

decnet/web/db/models/deploy.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fleet deploy + mutate-interval request DTOs."""
 from typing import Optional
 

decnet/web/db/models/fleet.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Fleet decky table — DB mirror of ``decnet-state.json``.
 
 The legacy unihost / MACVLAN / IPVLAN deploy path persists fleet state to a

decnet/web/db/models/health.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Health-endpoint DTOs."""
 from typing import Literal, Optional
 

decnet/web/db/models/logs.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Log / Bounty / Credential / State tables + their list-response DTOs."""
 from datetime import datetime, timezone
 from typing import Any, List, Optional

decnet/web/db/models/observations.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """BEHAVE-SHELL observation rows — generic table holding every
 emitted Observation envelope.
 

decnet/web/db/models/orchestrator.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Orchestrator-emitted activity events.
 
 Purpose-built sibling to ``logs.Log`` so attacker-originated events stay

decnet/web/db/models/realism.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Realism — synthetic-file state across orchestrator ticks.
 
 The orchestrator's pre-realism file generator forgot every file the

decnet/web/db/models/swarm.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Swarm host + decky shard tables and their HTTP DTOs."""
 from datetime import datetime, timezone
 from typing import Annotated, Any, Optional

decnet/web/db/models/tarpit.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tarpit rule table + HTTP request/response shapes."""
 from datetime import datetime, timezone
 from typing import Any

decnet/web/db/models/topology.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """MazeNET topology tables + the REST DTOs that wrap them."""
 import json
 from datetime import datetime, timezone

decnet/web/db/models/ttp.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """TTP-tagging schema — `ttp_tag`, `ttp_rule`, `ttp_rule_state`.
 
 Contract step E.1.1 of `development/TTP_TAGGING.md`. Shapes only — no

decnet/web/db/models/updater.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Remote updates DTOs (master → worker /updater fan-out)."""
 from typing import Any, Literal, Optional
 

decnet/web/db/models/webhooks.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Webhook subscription table + CRUD DTOs.
 
 Webhooks push DECNET bus events out to external SIEM / SOAR stacks

decnet/web/db/models/workers.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Workers panel DTOs (bus-backed health + control)."""
 from typing import Any, Dict, List, Literal, Optional