feat(deckies): generic file drops on fleet + MazeNET deckies

Extracts the docker-exec-with-base64-stdin pattern out of canary/planter
and orchestrator/drivers/ssh into a shared decnet.decky_io package.
Both consumers now delegate; the canary planter test still proves the
contract end-to-end.

Adds POST/DELETE /api/v1/deckies/files for arbitrary file drops.
Container resolution is shared with the canary path: topology_id absent
means fleet (<name>-ssh), present routes through resolve_decky_container
which picks <name>-ssh when the topology decky exposes ssh, else the
topology base container decnet_t_<id8>_<name>.

Path validation rejects relative paths and '..' traversal at the request
model layer.  Bad base64 → 400; unknown topology → 404; decky not in
topology → 422; docker exec failure → 409.

decnet/web/router/__init__.py

@@ -50,6 +50,7 @@ from .swarm_mgmt import swarm_mgmt_router
 from .system import system_router
 from .topology import topology_router
 from .canary import canary_router
+from .deckies import deckies_router
 from .webhooks import webhooks_router
 
 api_router = APIRouter(
@@ -156,6 +157,7 @@ api_router.include_router(topology_router)
 # Canary tokens — operator-facing CRUD (worker hosts the
 # attacker-facing surface separately via `decnet canary`).
 api_router.include_router(canary_router)
+api_router.include_router(deckies_router)
 
 # External webhook subscriptions (SIEM/SOAR egress)
 api_router.include_router(webhooks_router)