refactor(orchestrator): collapse decnet-emailgen.service into orchestrator

Stage 5 of the realism migration. Email generation is no longer a
separate worker / systemd unit / CLI subcommand — the orchestrator's
single tick loop covers SSH traffic, file plants, and email drops.
Going from 21 services to 20.

Worker:
- _one_tick rolls between traffic / file / email (45/45/10 weights).
  The 10% email weight at a 60s orchestrator interval produces ~one
  email per 10 minutes, close to the pre-collapse 5-minute cadence.
- get_driver_for(action) (stage 4) handles SSH vs Email dispatch.
- Quiet branches fall through so a (decky-set, persona-pool,
  mail-decky) shape that silences one branch doesn't waste the tick.
- Periodic prune covers both orchestrator_events and
  orchestrator_emails tables.

Deletions:
- deploy/decnet-emailgen.service.j2
- decnet/orchestrator/emailgen/worker.py
- decnet/cli/emailgen.py
- tests/orchestrator/emailgen/test_worker_integration.py

Renames (history-preserving):
- decnet/web/router/emailgen/ -> decnet/web/router/realism/
- tests/api/emailgen/        -> tests/api/realism/
- tests/cli/test_emailgen_*  -> tests/cli/test_realism_*

Public surface changes (clean break, pre-v1):
- API URL /api/v1/emailgen/personas -> /api/v1/realism/personas
- CLI `decnet emailgen import-personas` -> `decnet realism
  import-personas`. `decnet emailgen run` is gone — the orchestrator
  covers it.
- gating.py: emailgen master-only group replaced by realism.
- decnet-orchestrator.service.j2: DECNET_REALISM_* env block added.
- decnet.target: decnet-emailgen.service entry removed.
- frontend: PersonaGeneration.tsx fetches /realism/personas.

deploy/decnet-emailgen.service.j2

@@ -1,54 +0,0 @@
-[Unit]
-Description=DECNET Emailgen (LLM-driven fake corporate email into IMAP/POP3 deckies)
-Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#emailgen
-After=network-online.target decnet-bus.service
-Wants=network-online.target decnet-bus.service
-
-[Service]
-Type=simple
-User={{ user }}
-Group={{ group }}
-WorkingDirectory={{ install_dir }}
-EnvironmentFile=-{{ install_dir }}/.env.local
-Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.emailgen.log
-# LLM backend selection + model are operator-tunable via .env.local:
-#   DECNET_EMAILGEN_LLM=ollama|fake     (default: ollama)
-#   DECNET_EMAILGEN_MODEL=llama3.1      (default: llama3.1)
-#   DECNET_EMAILGEN_TIMEOUT=60          (LLM wall-clock cap, seconds)
-#   DECNET_EMAILGEN_PERSONAS=/etc/decnet/email_personas.json
-#                                       (override the global persona pool)
-ExecStart={{ venv_dir }}/bin/decnet emailgen run
-StandardOutput=append:/var/log/decnet/decnet.emailgen.log
-StandardError=append:/var/log/decnet/decnet.emailgen.log
-
-# Emailgen drives `docker exec` against IMAP/POP3 decky containers to drop
-# .eml files into the spool, identical to the SSH-flavoured orchestrator.
-# It does NOT bind to the network, launch new containers, or write outside
-# its own logs and install dir.
-SupplementaryGroups=docker
-
-CapabilityBoundingSet=
-AmbientCapabilities=
-
-# Security Hardening
-NoNewPrivileges=yes
-ProtectSystem=full
-ProtectHome=read-only
-PrivateTmp=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectControlGroups=yes
-RestrictSUIDSGID=yes
-LockPersonality=yes
-# /etc/decnet is included so `decnet emailgen import-personas` can write
-# the canonical /etc/decnet/email_personas.json without the worker losing
-# read access (it lives outside ReadWritePaths so writes from the worker
-# itself are still blocked — only the operator-run CLI writes here).
-ReadWritePaths={{ install_dir }} /var/log/decnet
-
-Restart=on-failure
-RestartSec=5
-TimeoutStopSec=15
-
-[Install]
-WantedBy=multi-user.target

deploy/decnet-orchestrator.service.j2

@@ -1,5 +1,5 @@
 [Unit]
-Description=DECNET Orchestrator (synthetic life-injection — inter-decky traffic + file ops)
+Description=DECNET Orchestrator (synthetic life-injection — inter-decky traffic, file plants, email drops)
 Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#orchestrator
 After=network-online.target decnet-bus.service
 Wants=network-online.target decnet-bus.service
@@ -11,6 +11,13 @@ Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
 Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.orchestrator.log
+# Realism content engine — LLM + persona-pool config used by the
+# email + (post-stage-6) file-class enrichment paths.  See
+# decnet/realism/llm/factory.py and decnet/realism/personas_pool.py.
+Environment=DECNET_REALISM_LLM=ollama
+Environment=DECNET_REALISM_MODEL=llama3.1
+Environment=DECNET_REALISM_TIMEOUT=60
+Environment=DECNET_REALISM_PERSONAS=/etc/decnet/email_personas.json
 ExecStart={{ venv_dir }}/bin/decnet orchestrate
 StandardOutput=append:/var/log/decnet/decnet.orchestrator.log
 StandardError=append:/var/log/decnet/decnet.orchestrator.log

deploy/decnet.target

@@ -20,8 +20,7 @@ Wants=decnet-bus.service \
       decnet-campaign-clusterer.service \
       decnet-webhook.service \
       decnet-canary.service \
-      decnet-orchestrator.service \
-      decnet-emailgen.service
+      decnet-orchestrator.service
 After=decnet-bus.service
 
 [Install]