refactor(orchestrator): collapse decnet-emailgen.service into orchestrator

Stage 5 of the realism migration. Email generation is no longer a
separate worker / systemd unit / CLI subcommand — the orchestrator's
single tick loop covers SSH traffic, file plants, and email drops.
Going from 21 services to 20.

Worker:
- _one_tick rolls between traffic / file / email (45/45/10 weights).
  The 10% email weight at a 60s orchestrator interval produces ~one
  email per 10 minutes, close to the pre-collapse 5-minute cadence.
- get_driver_for(action) (stage 4) handles SSH vs Email dispatch.
- Quiet branches fall through so a (decky-set, persona-pool,
  mail-decky) shape that silences one branch doesn't waste the tick.
- Periodic prune covers both orchestrator_events and
  orchestrator_emails tables.

Deletions:
- deploy/decnet-emailgen.service.j2
- decnet/orchestrator/emailgen/worker.py
- decnet/cli/emailgen.py
- tests/orchestrator/emailgen/test_worker_integration.py

Renames (history-preserving):
- decnet/web/router/emailgen/ -> decnet/web/router/realism/
- tests/api/emailgen/        -> tests/api/realism/
- tests/cli/test_emailgen_*  -> tests/cli/test_realism_*

Public surface changes (clean break, pre-v1):
- API URL /api/v1/emailgen/personas -> /api/v1/realism/personas
- CLI `decnet emailgen import-personas` -> `decnet realism
  import-personas`. `decnet emailgen run` is gone — the orchestrator
  covers it.
- gating.py: emailgen master-only group replaced by realism.
- decnet-orchestrator.service.j2: DECNET_REALISM_* env block added.
- decnet.target: decnet-emailgen.service entry removed.
- frontend: PersonaGeneration.tsx fetches /realism/personas.

tests/api/realism/test_personas_api.py

@@ -1,4 +1,4 @@
-"""GET/PUT /api/v1/emailgen/personas — global persona pool CRUD."""
+"""GET/PUT /api/v1/realism/personas — global persona pool CRUD."""
 from __future__ import annotations
 
 import json
@@ -6,7 +6,7 @@ import json
 import pytest
 
 from decnet.realism import personas_pool as global_pool
-from decnet.web.router.emailgen.api_personas import (
+from decnet.web.router.realism.api_personas import (
     list_personas,
     replace_personas,
 )

tests/api/topology/test_personas_api.py

@@ -0,0 +1,180 @@
+"""Per-topology persona endpoints — GET/PUT /topologies/{id}/personas."""
+from __future__ import annotations
+
+import json
+
+import pytest
+
+from decnet.topology.config import TopologyConfig
+from decnet.topology.generator import generate
+from decnet.topology.persistence import persist
+from decnet.web.dependencies import repo as _repo
+
+_V1 = "/api/v1/topologies"
+
+
+def _cfg(name: str = "personas") -> TopologyConfig:
+    return TopologyConfig(
+        name=name,
+        depth=1,
+        branching_factor=1,
+        deckies_per_lan_min=1,
+        deckies_per_lan_max=1,
+        services_explicit=["ssh"],
+        randomize_services=False,
+        seed=0,
+    )
+
+
+async def _seed(name: str = "personas") -> str:
+    return await persist(_repo, generate(_cfg(name)))
+
+
+def _persona(email: str, name: str = "Jane Doe") -> dict:
+    return {
+        "name": name,
+        "email": email,
+        "role": "Admin",
+        "tone": "formal",
+        "mannerisms": ["uses bullet points"],
+    }
+
+
+@pytest.mark.anyio
+async def test_get_default_empty(client, auth_token):
+    tid = await _seed("get-empty")
+    r = await client.get(
+        f"{_V1}/{tid}/personas",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 200, r.text
+    body = r.json()
+    assert body["topology_id"] == tid
+    assert body["personas"] == []
+    assert body["language_default"] == "en"
+
+
+@pytest.mark.anyio
+async def test_get_404(client, auth_token):
+    r = await client.get(
+        f"{_V1}/does-not-exist/personas",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 404
+
+
+@pytest.mark.anyio
+async def test_put_then_get(client, auth_token):
+    tid = await _seed("put-roundtrip")
+    payload = {"personas": [
+        _persona("a@example.com", "Alice"),
+        _persona("b@example.com", "Bob"),
+    ]}
+    r = await client.put(
+        f"{_V1}/{tid}/personas",
+        json=payload,
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 200, r.text
+    assert len(r.json()["personas"]) == 2
+
+    r2 = await client.get(
+        f"{_V1}/{tid}/personas",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r2.status_code == 200
+    emails = [p["email"] for p in r2.json()["personas"]]
+    assert emails == ["a@example.com", "b@example.com"]
+
+    # Persisted as JSON string in the topology row.
+    topo = await _repo.get_topology(tid)
+    assert isinstance(topo["email_personas"], str)
+    stored = json.loads(topo["email_personas"])
+    assert {p["email"] for p in stored} == {"a@example.com", "b@example.com"}
+
+
+@pytest.mark.anyio
+async def test_put_empty_clears(client, auth_token):
+    tid = await _seed("put-empty")
+    await client.put(
+        f"{_V1}/{tid}/personas",
+        json={"personas": [_persona("x@example.com")]},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    r = await client.put(
+        f"{_V1}/{tid}/personas",
+        json={"personas": []},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 200
+    assert r.json()["personas"] == []
+
+
+@pytest.mark.anyio
+async def test_put_non_list_400(client, auth_token):
+    tid = await _seed("put-non-list")
+    r = await client.put(
+        f"{_V1}/{tid}/personas",
+        json={"personas": "not a list"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 400
+
+
+@pytest.mark.anyio
+async def test_put_all_invalid_400(client, auth_token):
+    tid = await _seed("put-all-bad")
+    r = await client.put(
+        f"{_V1}/{tid}/personas",
+        json={"personas": [{"email": "no-at-sign"}, {"name": "no-email"}]},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 400
+
+
+@pytest.mark.anyio
+async def test_put_partial_invalid_keeps_valid(client, auth_token):
+    """Mirror the global-pool drop-invalid semantics.
+
+    The endpoint silently drops bad entries; operators discover what
+    landed by reading back the GET.
+    """
+    tid = await _seed("put-partial")
+    r = await client.put(
+        f"{_V1}/{tid}/personas",
+        json={"personas": [
+            _persona("good@example.com"),
+            {"name": "missing email"},
+        ]},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 200
+    body = r.json()
+    assert [p["email"] for p in body["personas"]] == ["good@example.com"]
+
+
+@pytest.mark.anyio
+async def test_put_404_on_missing_topology(client, auth_token):
+    r = await client.put(
+        f"{_V1}/does-not-exist/personas",
+        json={"personas": [_persona("x@example.com")]},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 404
+
+
+@pytest.mark.anyio
+async def test_get_does_not_shadow_existing_topology_id(client, auth_token):
+    """Ensure the personas subroute is registered before the bare /{id}.
+
+    If the literal `/personas` segment got shadowed by the parameterized
+    `/{id}` route, GET would return the topology body instead of 404 for
+    a missing personas resource.  Sanity-check the order.
+    """
+    tid = await _seed("shadow-check")
+    r = await client.get(
+        f"{_V1}/{tid}/personas",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert r.status_code == 200
+    assert "personas" in r.json()