feat(deploy): wire attribution worker — CLI + systemd unit + registry

* decnet attribution — Typer command mirroring decnet reuse-correlate
  (--multi-actor-tick, --daemon flags). Calls run_attribution_loop
  with the dependency-injected repo.
* deploy/decnet-attribution.service.j2 — systemd unit mirroring
  decnet-reuse-correlator.service.j2: ExecStart=decnet attribution,
  same hardening posture (NoNewPrivileges, ProtectSystem=full,
  ProtectHome=read-only, dedicated /var/log/decnet/decnet.attribution.log).
* worker_registry.KNOWN_WORKERS += "attribution" — heartbeat already
  publishes as system.attribution.health from
  attribution_worker._WORKER_NAME, so the Workers panel surfaces the
  row the moment the unit is enabled.
* api_start_all_workers preferred-order list + "attribution" between
  reuse-correlator and enrich so a fresh start-all brings it up
  alongside its peers.

After this commit `systemctl enable --now decnet-attribution` (or
the dashboard's start-all) actually launches the engine.

decnet/web/router/workers/api_start_all_workers.py

@@ -27,6 +27,7 @@ _PREFERRED_ORDER: tuple[str, ...] = (
     "mutator",
     "reconciler",
     "reuse-correlator",
+    "attribution",
     "enrich",
     "clusterer",
     "campaign-clusterer",

decnet/web/worker_registry.py

@@ -40,6 +40,7 @@ KNOWN_WORKERS: tuple[str, ...] = (
     "mutator",
     "reconciler",  # host-local fleet convergence — JSON ↔ DB ↔ docker
     "reuse-correlator",  # credential-reuse pass — bus-woken on credential.captured
+    "attribution",  # per-(identity, primitive) state machine — bus-woken on attacker.observation.>
     "enrich",     # threat-intel enrichment — bus-woken on attacker.observed/scored
     "clusterer",  # behavioral clustering — bus-woken on attacker.scored
     "campaign-clusterer",  # campaign assembly — bus-woken on identity.formed