feat(ttp): E.4.a extract decnet/cli/ttp.py with worker run + backfill CLI

The TTP worker entry moved out of decnet/cli/workers.py into its own
module so the TTP CLI surface (worker + admin verbs) is colocated,
mirroring decnet/cli/canary.py / webhook.py / swarm.py.

- New `decnet/cli/ttp.py` with `decnet ttp` (worker, ExecStart-stable
  for decnet-ttp.service) and `decnet ttp-backfill --since-days N`.
- `decnet ttp-backfill` walks Attacker.commands and CanaryTrigger
  history, dispatches each row through the live CompositeTagger,
  persists tags via repo.insert_tags (idempotent INSERT OR IGNORE).
  --dry-run / --source command|canary|all / --batch-size supported.
- Backfill deliberately bypasses bus publish — historical replay
  must not re-trigger SIEM/webhook fan-out per TTP_TAGGING.md
  §"Bus topics" loop-prevention invariant.
- Added `iter_attacker_commands_since` / `iter_canary_triggers_since`
  read-only iterators on TTPMixin + abstract bindings on
  BaseRepository.
- Master-only via gating; both `ttp` and `ttp-backfill` listed in
  MASTER_ONLY_COMMANDS.

decnet/cli/workers.py

@@ -296,56 +296,9 @@ def register(app: typer.Typer) -> None:
         except KeyboardInterrupt:
             console.print("\n[yellow]Campaign clusterer stopped.[/]")
 
-    @app.command(name="ttp")
-    def ttp(
-        poll_interval_secs: float = typer.Option(
-            60.0, "--poll-interval", "-i",
-            help="Slow-tick fallback when the bus is idle or unavailable (seconds)",
-        ),
-        daemon: bool = typer.Option(
-            False, "--daemon", "-d",
-            help="Detach to background as a daemon process",
-        ),
-    ) -> None:
-        """TTP-tagging worker — MITRE ATT&CK technique tagging.
-
-        Bus-woken on ``attacker.session.ended`` / ``attacker.observed``
-        / ``attacker.intel.enriched`` / ``identity.formed`` /
-        ``identity.merged`` / ``credential.reuse.detected`` /
-        ``email.received`` / ``canary.>``. Dispatches each event
-        through the :class:`CompositeTagger` (RuleEngine +
-        Behavioral / Intel / Email / CanaryFingerprint / Identity /
-        Credential lifters), persists ``ttp_tag`` rows via the
-        idempotent ``INSERT OR IGNORE`` write, and publishes
-        ``ttp.tagged`` + per-technique ``ttp.rule.fired.*`` only when
-        the insert returned a non-zero rowcount (loop-prevention
-        invariant from TTP_TAGGING.md §"Bus topics").
-        """
-        import asyncio
-        from decnet.cli.gating import _require_master_mode
-        from decnet.ttp.worker import run_ttp_worker_loop
-        from decnet.web.dependencies import repo
-
-        _require_master_mode("ttp")
-
-        if daemon:
-            log.info("ttp daemonizing poll=%s", poll_interval_secs)
-            _utils._daemonize()
-
-        log.info("ttp command invoked poll=%s", poll_interval_secs)
-        console.print(
-            f"[bold cyan]TTP tagging worker starting[/] "
-            f"poll={poll_interval_secs}s"
-        )
-        console.print("[dim]Press Ctrl+C to stop[/]")
-
-        async def _run() -> None:
-            await repo.initialize()
-            await run_ttp_worker_loop(
-                repo, poll_interval_secs=poll_interval_secs,
-            )
-
-        try:
-            asyncio.run(_run())
-        except KeyboardInterrupt:
-            console.print("\n[yellow]TTP tagging worker stopped.[/]")
+    # ``decnet ttp`` and ``decnet ttp-backfill`` moved to
+    # :mod:`decnet.cli.ttp` — the TTP CLI surface (worker + admin verbs)
+    # is colocated there, mirroring the per-feature CLI split used by
+    # :mod:`decnet.cli.canary`, :mod:`decnet.cli.webhook`, etc. The
+    # ``decnet-ttp.service`` systemd unit's ExecStart still resolves to
+    # ``decnet ttp`` because the command name is unchanged.