legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

internal/auth/apikey.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package auth
 
 import (

internal/auth/bootstrap/bootstrap.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package bootstrap ships the day-0 admin-creation primitive for Bundle 1
 // Phase 6. The control plane comes up with no admin-roled actors; the
 // operator hands the env-var token to a single curl call; the server

internal/auth/bootstrap/service.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package bootstrap
 
 import (

internal/auth/breakglass/domain/types.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package domain holds the break-glass-admin persisted-shape type.
 //
 // Auth Bundle 2 Phase 1 / Phase 7.5: types only. Phase 2 ships the

internal/auth/breakglass/service.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package breakglass — Auth Bundle 2 Phase 7.5 / break-glass admin service.
 //
 // Decision 4: operator-toggleable local-password admin for the SSO-broken

internal/auth/context.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package auth holds the certctl auth surface: API-key validation, the
 // authenticated-actor context keys, and the helpers that consumers across
 // the codebase use to read the actor identity (rate limiter, audit

internal/auth/keystore.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package auth
 
 import (

internal/auth/middleware.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package auth
 
 import (

internal/auth/oidc/bootstrap_hook.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package oidc — Auth Bundle 2 Phase 7 / OIDC bootstrap hook.
 //
 // Phase 7 ships the "first OIDC login matching CERTCTL_BOOTSTRAP_ADMIN_GROUPS

internal/auth/oidc/doc.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package oidc is the Bundle 2 OpenID Connect integration: server-side
 // validation of ID tokens issued by an enterprise IdP (Okta / Azure AD /
 // Google Workspace / Keycloak / Authentik / Auth0), JWKS rotation,

internal/auth/oidc/domain/types.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package domain holds the OIDC integration's persisted-shape types.
 //
 // Auth Bundle 2 Phase 1: types only, no service or repository wiring.

internal/auth/oidc/groupclaim/resolver.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package groupclaim resolves the operator-configured `groups_claim_path`
 // against an ID token's parsed claims, returning the user's group
 // membership as a `[]string`.

internal/auth/oidc/prelogin.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package oidc — Bundle 2 Phase 5 / pre-login cookie machinery.
 //
 // This file implements the production-side PreLoginStore that the

internal/auth/oidc/service.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package oidc
 
 import (

internal/auth/oidc/test_discovery.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package oidc
 
 // Audit 2026-05-10 MED-5 closure — dry-run validator for OIDC provider

internal/auth/oidc/testfixtures/keycloak.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 //go:build integration
 
 // Package testfixtures provides Bundle 2 Phase 10 multi-IdP integration

internal/auth/protocol_endpoints.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package auth
 
 import "strings"

internal/auth/require_permission.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package auth
 
 import (

internal/auth/session/domain/types.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package domain holds the session-management persisted-shape types.
 //
 // Auth Bundle 2 Phase 1: types only. Phase 2 ships the SQL migration;

internal/auth/session/middleware.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package session — Auth Bundle 2 Phase 6 / session + CSRF middleware.
 //
 // This file ships the HTTP middleware that wires the post-login session

internal/auth/session/service.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package session implements the post-login session lifecycle for
 // Auth Bundle 2 Phase 4: cookie minting + signature validation +
 // idle/absolute expiry + revocation + signing-key rotation + GC.

internal/auth/testfixtures.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package auth
 
 import "context"

internal/auth/user/domain/types.go

@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package domain holds the federated-human user persisted-shape type.
 //
 // Auth Bundle 2 Phase 1: types only. Phase 2 ships the SQL migration;