feat(asn): IP→ASN enrichment via iptoasn.com bulk dump

Mirrors decnet/geoip/ end-to-end: paths/base/factory/lookup at the
package level, iptoasn/ subpackage holds the data-source-specific
fetch+parse+provider. AsnLookup is bisect-indexed over (start, end,
AsnInfo) ranges with a pickled cache invalidated on raw-file mtime
bump.

Why iptoasn (and not bgp.tools / Team Cymru): public-domain dump,
zero attribution, no UA mandate, daily refresh — keeps DECNET stealth
intact (the geoip/rir module's "never identify as DECNET" comment
applies the same way here). bgp.tools' ToS would have required an
identifying UA, conflicting with feedback_stealth.

Public surface: decnet.asn.enrich_ip(ip) -> (asn, name, source) or
all-None on miss/disabled. Same shape as decnet.geoip.enrich_ip so
the profiler can compose them in one call site.

tests/asn/conftest.py

@@ -0,0 +1,22 @@
+"""Per-package fixtures — sandbox the ASN provider into a tmp dir so no
+real /var/lib/decnet paths get touched and no real iptoasn URL gets
+fetched."""
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+
+
+@pytest.fixture(autouse=True)
+def _asn_sandbox(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Path:
+    monkeypatch.setenv("DECNET_ASN_ENABLED", "true")
+    monkeypatch.setenv("DECNET_ASN_ROOT", str(tmp_path))
+    import decnet.asn as _a
+    import decnet.asn.factory as _f
+    import decnet.asn.paths as _p
+    monkeypatch.setattr(_p, "ASN_ROOT", tmp_path)
+    _a._lookup = None
+    _a._provider_name = None
+    _f.reset_cache()
+    return tmp_path