feat(deckies): generic file drops on fleet + MazeNET deckies

Extracts the docker-exec-with-base64-stdin pattern out of canary/planter
and orchestrator/drivers/ssh into a shared decnet.decky_io package.
Both consumers now delegate; the canary planter test still proves the
contract end-to-end.

Adds POST/DELETE /api/v1/deckies/files for arbitrary file drops.
Container resolution is shared with the canary path: topology_id absent
means fleet (<name>-ssh), present routes through resolve_decky_container
which picks <name>-ssh when the topology decky exposes ssh, else the
topology base container decnet_t_<id8>_<name>.

Path validation rejects relative paths and '..' traversal at the request
model layer.  Bad base64 → 400; unknown topology → 404; decky not in
topology → 422; docker exec failure → 409.

tests/canary/test_planter.py

@@ -115,9 +115,9 @@ async def test_plant_argv_and_base64_round_trip(repo: SQLiteRepository, fake_bus
     assert stdin_seen[0] == base64.b64encode(art.content)
     assert "base64 -d > /home/admin/.aws/credentials" in script
     assert base64.b64encode(art.content).decode() not in script
-    # touch -d @<mtime> with negative offset → an int strictly less than now.
-    m = re.search(r"touch -d @(\d+) ", script)
-    assert m and int(m.group(1)) > 0
+    # touch -d 'YYYY-MM-DD HH:MM:SS UTC' — backdated via mtime_offset.
+    m = re.search(r"touch -d '(\d{4}-\d{2}-\d{2}) ", script)
+    assert m
     # State transitioned to planted.
     row = await repo.get_canary_token("tok-1")
     assert row["state"] == "planted" and row["last_error"] is None