feat(swarm): unbundle master-only code from agent tarball + sync systemd units on update

Agents now ship with collector/prober/sniffer as systemd services; mutator,
profiler, web, and API stay master-only (profiler rebuilds attacker profiles
against the master DB — no per-host DB exists). Expand _EXCLUDES to drop the
full decnet/web, decnet/mutator, decnet/profiler, and decnet_web trees from
the enrollment bundle.

Updater now calls _heal_path_symlink + _sync_systemd_units after rotation so
fleets pick up new unit files and /usr/local/bin/decnet tracks the shared venv
without a manual reinstall. daemon-reload runs once per update when any unit
changed.

Fix _service_registry matchers to accept systemd-style /usr/local/bin/decnet
cmdlines (psutil returns a list — join to string before substring-checking)
so agent-mode `decnet status` reports collector/prober/sniffer correctly.

decnet/web/templates/enroll_bootstrap.sh.j2

@@ -62,7 +62,7 @@ ln -sf "$VENV_DIR/bin/decnet" /usr/local/bin/decnet
 echo "[DECNET] installing systemd units..."
 for unit in \
   decnet-agent decnet-forwarder decnet-engine \
-  decnet-collector decnet-prober decnet-profiler decnet-sniffer; do
+  decnet-collector decnet-prober decnet-sniffer; do
   install -Dm0644 "etc/systemd/system/${unit}.service" "/etc/systemd/system/${unit}.service"
 done
 if [[ "$WITH_UPDATER" == "true" ]]; then
@@ -76,7 +76,7 @@ systemctl daemon-reload
 ACTIVE_UNITS=(
   decnet-agent.service decnet-forwarder.service
   decnet-collector.service decnet-prober.service
-  decnet-profiler.service decnet-sniffer.service
+  decnet-sniffer.service
 )
 if [[ "$WITH_UPDATER" == "true" ]]; then
   ACTIVE_UNITS+=(decnet-updater.service)