feat(api): GET /credential-reuse list + detail endpoints

Read-only routes for the credential-reuse findings produced by the
correlator. Mirrors the /credentials route shape: JWT-gated via
require_viewer, paginated with optional secret_kind /
min_target_count filters, and a 404-on-missing detail route.

No POST/PUT/PATCH (and no body parsing) so no 400 contract is
documented.

decnet/web/router/__init__.py

@@ -6,6 +6,7 @@ from .logs.api_get_logs import router as logs_router
 from .logs.api_get_histogram import router as histogram_router
 from .bounty.api_get_bounties import router as bounty_router
 from .credentials.api_get_credentials import router as credentials_router
+from .credential_reuse.api_get_credential_reuse import router as credential_reuse_router
 from .stats.api_get_stats import router as stats_router
 from .fleet.api_get_deckies import router as get_deckies_router
 from .fleet.api_mutate_decky import router as mutate_decky_router
@@ -63,6 +64,9 @@ api_router.include_router(bounty_router)
 # Credentials (deduped attacker auth attempts)
 api_router.include_router(credentials_router)
 
+# Credential reuse findings (cross-decky/cross-service same-secret hits)
+api_router.include_router(credential_reuse_router)
+
 # Fleet Management
 api_router.include_router(get_deckies_router)
 api_router.include_router(mutate_decky_router)

decnet/web/router/credential_reuse/api_get_credential_reuse.py

@@ -0,0 +1,74 @@
+from typing import Any, Optional
+
+from fastapi import APIRouter, Depends, HTTPException, Query
+
+from decnet.telemetry import traced as _traced
+from decnet.web.dependencies import require_viewer, repo
+from decnet.web.db.models import CredentialReuseResponse
+
+router = APIRouter()
+
+
+@router.get(
+    "/credential-reuse",
+    response_model=CredentialReuseResponse,
+    tags=["Credentials"],
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+        422: {"description": "Validation error"},
+    },
+)
+@_traced("api.list_credential_reuse")
+async def list_credential_reuse(
+    limit: int = Query(50, ge=1, le=1000),
+    offset: int = Query(0, ge=0, le=2147483647),
+    min_target_count: int = Query(2, ge=2, le=2147483647),
+    secret_kind: Optional[str] = None,
+    user: dict = Depends(require_viewer),
+) -> dict[str, Any]:
+    """Paged list of credential-reuse findings ordered by target_count desc.
+
+    Each row collapses every Credential capture sharing the same secret
+    + principal across distinct (decky, service) pairs into a single
+    finding with the union of attacker UUIDs/IPs and reach.
+    """
+    def _norm(v: Optional[str]) -> Optional[str]:
+        if v in (None, "null", "NULL", "undefined", ""):
+            return None
+        return v
+
+    kind = _norm(secret_kind)
+    total, data = await repo.list_credential_reuses(
+        limit=limit,
+        offset=offset,
+        min_target_count=min_target_count,
+        secret_kind=kind,
+    )
+    return {
+        "total": total,
+        "limit": limit,
+        "offset": offset,
+        "data": data,
+    }
+
+
+@router.get(
+    "/credential-reuse/{reuse_id}",
+    tags=["Credentials"],
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+        404: {"description": "CredentialReuse row not found"},
+    },
+)
+@_traced("api.get_credential_reuse")
+async def get_credential_reuse(
+    reuse_id: str,
+    user: dict = Depends(require_viewer),
+) -> dict[str, Any]:
+    """One credential-reuse finding by UUID, or 404."""
+    row = await repo.get_credential_reuse_by_id(reuse_id)
+    if row is None:
+        raise HTTPException(status_code=404, detail="credential_reuse not found")
+    return row