chore: add SPDX headers to build/release scripts

[rgao-coreweave]

Summary

Add the 3-line SPDX header (per .reuse/templates/default_template.jinja2) to the 5 author-written scripts under scripts/ that lacked physical headers, matching the convention used everywhere else in src/, tests/, hooks/.

// SPDX-FileCopyrightText: 2026 CoreWeave, Inc.
// SPDX-License-Identifier: MIT
// SPDX-PackageName: weave-claude-plugin

Files touched:

• scripts/install-git-hooks.mjs
• scripts/build/copy-version-module.mjs
• scripts/release/bump-version.mjs
• scripts/release/update-marketplace-sha.mjs
• scripts/release/version-module-utils.mjs

Generated via the canonical command from CONTRIBUTING.md:

reuse annotate --license MIT --copyright 'CoreWeave, Inc.' \
               --year 2026 --template default_template --skip-existing $FILE

This is hygiene, not a compliance fix

reuse lint was clean before this change, because REUSE.toml declares a bulk annotation covering every file via path = "**". These 5 scripts were simply visual outliers relative to the rest of the repo's physical-header convention.

Intentionally skipped

• src/version.mjs — auto-generated by the release-bump workflow (scripts/release/bump-version.mjs); explicitly marked "maintained by release automation. Do not edit manually." A physical header here would either get clobbered on the next bump or require teaching the bump script to preserve it.
• tests/fixtures/fake-weave-plugin-bin/weave-claude-plugin — already gained its missing SPDX-PackageName in fix: detect and recover from stale daemon sockets #53 (commit 3bb871f).

CI gap (separate question, not addressed here)

There is no SPDX/REUSE check in CI today — format-and-lint.yaml runs npm run check (build + test + secrets scan) but doesn't invoke reuse lint. Worth noting:

• reuse lint would catch a brand-new file that isn't covered by REUSE.toml and has no header. It would not have caught the partial-header issue chance-wnb flagged on fix: detect and recover from stale daemon sockets #53 (missing SPDX-PackageName), because partial headers are still REUSE-spec compliant.
• A custom grep-based check ("if a file in src/, tests/, hooks/, or scripts/ has any SPDX- line, it must have all three from the template") would catch the partial-header case.

Happy to follow up with either or both in a separate PR — flagged here for visibility rather than scope-creeping this one.

Test plan

• reuse lint — 37/37 files compliant, spec 3.3
• npm run build — clean (the SPDX header on the build script itself didn't break the build pipeline)
• npm test — 8/8 pass

🤖 Generated with Claude Code