chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

decnet/web/router/ttp/__init__.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """TTP-tagging API router package — see development/TTP_TAGGING.md.
 
 Contract phase E.1.9: handlers return typed empty values. The repo

decnet/web/router/ttp/api_export_navigator.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GET /api/v1/ttp/export/navigator{,/identity/{uuid}} — Navigator JSON layer.
 
 Empty-but-valid Navigator layer at contract phase per TTP_TAGGING.md

decnet/web/router/ttp/api_get_by_attacker.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GET /api/v1/ttp/by-attacker/{attacker_uuid} — per-IP TTP slice.
 
 Backs the AttackerDetail page's TTP section. See TTP_TAGGING.md

decnet/web/router/ttp/api_get_by_campaign.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GET /api/v1/ttp/by-campaign/{campaign_uuid} — campaign-wide TTP rollup."""
 from __future__ import annotations
 

decnet/web/router/ttp/api_get_by_identity.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GET /api/v1/ttp/by-identity/{identity_uuid} — Identity-scoped TTP rollup.
 
 Primary endpoint for the IdentityDetail "TTPs Observed" section. See

decnet/web/router/ttp/api_get_by_session.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GET /api/v1/ttp/by-session/{session_id} — session timeline of TTP tags."""
 from __future__ import annotations
 

decnet/web/router/ttp/api_get_groups_for_technique.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GET /api/v1/ttp/techniques/{technique_id}/groups — MITRE-tracked groups using *technique_id*.
 
 Read-only reverse-index off the loaded ATT&CK STIX bundle. **NOT an

decnet/web/router/ttp/api_get_rules.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """TTP rule catalogue + admin-only state mutations.
 
 Three endpoints in one router:

decnet/web/router/ttp/api_get_tag_details.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """``GET /api/v1/ttp/tags/by-{scope}/{uuid}/{technique_id}``.
 
 Backs the operator-facing TTP inspector — when a user clicks a

decnet/web/router/ttp/api_get_techniques.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """GET /api/v1/ttp/techniques — distinct techniques observed fleet-wide.
 
 Returns an empty list at contract phase (E.1.9). Repo wiring lands in