chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

tests/web/__init__.py

@@ -0,0 +1 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later

tests/web/db/__init__.py

@@ -0,0 +1 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later

tests/web/db/conftest.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Shared fixtures for ``tests/web/db/`` — dual-backend repo testing.
 
 The ``db_backends`` fixture parametrizes a repository instance over

tests/web/db/test_secrets.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for decnet.web.db.secrets — Fernet encrypt/decrypt helper."""
 from __future__ import annotations
 

tests/web/db/test_ttp_repo.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """E.2.13 — Repository tests for the TTP-tag mixin.
 
 Pins the repo contract from ``development/TTP_TAGGING.md`` §E.2.13:

tests/web/services/__init__.py

@@ -0,0 +1 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later

tests/web/services/test_systemd_control.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Unit tests for :mod:`decnet.web.services.systemd_control`.
 
 These tests monkeypatch :func:`asyncio.create_subprocess_exec` so we

tests/web/test_admin_seed.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Tests for _ensure_admin_user env-drift self-healing.
 

tests/web/test_api_attacker_intel.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for GET /api/v1/attackers/{uuid}/intel."""
 from __future__ import annotations
 

tests/web/test_api_attackers.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Tests for the attacker profile API routes.
 

tests/web/test_api_campaigns.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for the campaign-clustering read API.
 
 Mirrors :mod:`tests.web.test_api_identities` for the layer above.

tests/web/test_api_export_attacker_misp.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for GET /api/v1/attackers/{uuid}/export/misp."""
 from __future__ import annotations
 

tests/web/test_api_export_attacker_stix.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for GET /api/v1/attackers/{uuid}/export/stix.
 
 Tests call the handler directly (no TestClient). The attack_stix bundle

tests/web/test_api_export_attackers_misp.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for GET /api/v1/attackers/export/misp — fleet-wide MISP collection."""
 from __future__ import annotations
 

tests/web/test_api_export_attackers_stix.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for GET /api/v1/attackers/export/stix — fleet-wide STIX bundle."""
 from __future__ import annotations
 

tests/web/test_api_identities.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Tests for the identity-resolution read API.
 

tests/web/test_api_llm.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for GET/PUT /api/v1/realism/llm."""
 from __future__ import annotations
 

tests/web/test_api_startup_guards.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Master API startup guards: mode gating + eager JWT load.
 
 The lifespan is what enforces these. We invoke it directly with a fresh

tests/web/test_attackers_fingerprint_columns.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Round-trip tests for the three PR2 fingerprint columns on AttackerIdentity.
 
 Verifies:

tests/web/test_attackers_ipv6_leak.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Tests for IPv6 link-local leak columns on Attacker and AttackerIdentity.
 
 Verifies:

tests/web/test_auth_async.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 averify_password / ahash_password run bcrypt on a thread so the event
 loop can serve other requests while hashing. Contract: they must produce

tests/web/test_env_lazy_jwt.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """The JWT secret must be lazy: agent/updater subcommands should import
 `decnet.env` without DECNET_JWT_SECRET being set."""
 from __future__ import annotations

tests/web/test_health_config_cache.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 TTL-cache contract: under concurrent load, N callers collapse to 1 repo hit
 per TTL window. Tests use fake repo objects — no real DB.

tests/web/test_ingester.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Tests for decnet/web/ingester.py
 

tests/web/test_ingester_bus.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Bus wiring for the ingester (DEBT-031, worker 6).
 
 The ingester emits one ``system.log`` event per DB-committed batch via

tests/web/test_ingester_http_fingerprint_compat.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Regression: the ingester's JA4H path must fire when a ja4h field is present
 in the sd-block of an http_request_fingerprint event (new shape, emitted by

tests/web/test_ingester_http_quirks.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """HTTP header-quirks fingerprint extraction in the ingester."""
 from __future__ import annotations
 

tests/web/test_ingester_mal_hash.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Ingester wiring for mal_hash + observed_attachments (DEBT-046).
 
 Validates `_publish_email_received` against a stub repo + stub provider:

tests/web/test_ingester_ua_classify.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """User-Agent classifier — enriches http_useragent bounty payload."""
 from __future__ import annotations
 

tests/web/test_ingester_xff.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """XFF / proxy-family mismatch detection in the ingester's bounty extractor."""
 from __future__ import annotations
 

tests/web/test_observed_attachments_repo.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """Repo tests for ``observed_attachments`` upsert (DEBT-046).
 
 The table is the per-hash sibling of ``attacker_intel`` — every

tests/web/test_router_cache.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 TTL-cache contract for /stats, /logs total count, and /attackers total count.
 

tests/web/test_validate_public_binding.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """validate_public_binding refuses footgun configs at master startup.
 
 The validator no-ops under pytest by design (so unit tests in unrelated

tests/web/test_web_api.py

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Tests for decnet/web/api.py lifespan and decnet/web/dependencies.py auth helpers.
 """