feat(mazenet): host port-collision warning at deploy time

Add check_no_host_port_collision: enumerate the ports the topology's
gateways will publish (forwards_l3=True × svc.ports), probe live
listeners via psutil, emit a 'warning'-severity PORT_COLLISION
issue per overlap. Live-only — invoked from deploy_topology just
after dry-run branching, so unit tests that exercise validate()
stay hermetic.

Warning rather than error because docker-compose up will hard-fail
on a real collision anyway; this just gives operators a cleaner log
line ahead of the compose failure.

decnet/engine/deployer.py

@@ -35,7 +35,12 @@ from decnet.topology.compose import (
 )
 from decnet.topology.persistence import hydrate, transition_status
 from decnet.topology.status import TopologyStatus
-from decnet.topology.validate import ValidationError, errors as _validation_errors, validate as _validate_topology
+from decnet.topology.validate import (
+    ValidationError,
+    check_no_host_port_collision,
+    errors as _validation_errors,
+    validate as _validate_topology,
+)
 
 log = get_logger("engine")
 console = Console()
@@ -338,6 +343,12 @@ async def deploy_topology(repo, topology_id: str, *, dry_run: bool = False) -> N
         log.info("topology %s dry-run complete", topology_id)
         return
 
+    # Host-state precheck: PORT_COLLISION is a warning (docker-compose
+    # will hard-fail if the port is actually unavailable; we just want
+    # the clearer log line up-front).  Only runs at live deploy.
+    for w in check_no_host_port_collision(hydrated):
+        log.warning("[%s] %s", w.code, w.message)
+
     await transition_status(repo, topology_id, TopologyStatus.DEPLOYING)
 
     client = docker.from_env()