feat(creds): Phase 1 — Authorization header + SNMP community capture

Closes the cred-coverage gap for 7 services that already had the data
on the wire but never landed it in the Credential table:

- SNMP — community string lands as secret_kind="snmp_community",
  principal=None (v1/v2c has no per-user identity, the community IS
  the auth).
- SIP — Digest response hash, previously buried in the auth= header
  dump, now classify_authorization()-extracted.
- HTTP / HTTPS — Authorization header was in the headers JSON but
  never extracted. Now Basic decodes to plaintext, Bearer →
  http_bearer (principal=None), Digest → http_digest_md5.
- K8s — already extracted Authorization but didn't normalize. Service-
  account JWTs flow through as Bearer.
- Docker API — headers absent entirely. Adds the headers JSON dump
  and runs Authorization through the classifier.
- Elasticsearch — five distinct request handlers; each gains a
  per-handler _cred_fields() helper.

Adds canonical templates/syslog_bridge.py:classify_authorization().
Recognised: Basic / Bearer / Token / Digest. Unknown schemes (NTLM,
AWS4-HMAC, Negotiate) return None; the header still rides in the
ambient SD-block but isn't normalized as a credential. The SD shape
on the wire collapses sip_digest_md5 into http_digest_md5 — same
algorithm, so cross-protocol reuse correlates correctly when (rare)
nonce collisions allow.

Drive-by repair of tests/core/test_fingerprinting.py:

- The pre-existing `test_http_useragent_extracted` asserted both that
  add_bounty was called exactly once AND that the UA payload carried
  `path` and `method` fields. Both wrong since this session opened:
  the http_quirks fingerprint added later fires too, and the UA
  payload never actually included path/method despite the assertion.
- Adds `path`/`method` to the UA fingerprint payload (real operator
  value: "Nikto hit /admin" beats "Nikto seen on this decky").
- Replaces `assert_awaited_once` with a `_find_ua_bounty()` helper
  that filters add_bounty calls by `fingerprint_type`. New fingerprint
  families landing later won't retroactively break old tests.
- Updates the two credential-bearing tests to use the post-DEBT-039
  native shape (`secret_b64` / `principal`) and `upsert_credential`,
  not the deleted legacy `username+password` adapter.

Also rebuilds the per-service fake `syslog_bridge` modules in
tests/service_testing/{conftest,test_imap,test_pop3,test_snmp,test_mqtt,test_smtp}.py
to expose `encode_secret` + `classify_authorization`. Service templates
that import either now no longer fail at test collection.

173 tests pass in the touched scope. Phases 2-7 still pending.

decnet/templates/elasticsearch/server.py

@@ -11,7 +11,12 @@ import os
 from http.server import BaseHTTPRequestHandler, HTTPServer
 
 import instance_seed as _seed
-from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
+from syslog_bridge import (
+    classify_authorization,
+    forward_syslog,
+    syslog_line,
+    write_syslog_file,
+)
 
 NODE_NAME = os.environ.get("NODE_NAME", "esserver")
 SERVICE_NAME   = "elasticsearch"
@@ -102,18 +107,23 @@ class ESHandler(BaseHTTPRequestHandler):
         length = int(self.headers.get("Content-Length", 0))
         return self.rfile.read(length).decode(errors="replace") if length else ""
 
+    def _cred_fields(self) -> dict:
+        """Universal cred shape from this request's Authorization header,
+        or empty dict when absent / unrecognized."""
+        return classify_authorization(self.headers.get("Authorization")) or {}
+
     def do_GET(self):
         src = self.client_address[0]
         path = self.path.split("?")[0]
 
         if path in ("/", ""):
-            _log("root_probe", src=src, method="GET", path=self.path)
+            _log("root_probe", src=src, method="GET", path=self.path, **self._cred_fields())
             self._send_json(200, _ROOT_RESPONSE)
         elif path.startswith("/_cat/"):
-            _log("cat_api", src=src, method="GET", path=self.path)
+            _log("cat_api", src=src, method="GET", path=self.path, **self._cred_fields())
             self._send_json(200, [])
         elif path.startswith("/_cluster/"):
-            _log("cluster_recon", src=src, method="GET", path=self.path)
+            _log("cluster_recon", src=src, method="GET", path=self.path, **self._cred_fields())
             self._send_json(200, {
                 "cluster_name": _CLUSTER_NAME,
                 "cluster_uuid": _CLUSTER_UUID,
@@ -129,7 +139,7 @@ class ESHandler(BaseHTTPRequestHandler):
                 "active_shards_percent_as_number": 100.0,
             })
         elif path.startswith("/_nodes"):
-            _log("nodes_recon", src=src, method="GET", path=self.path)
+            _log("nodes_recon", src=src, method="GET", path=self.path, **self._cred_fields())
             self._send_json(200, {
                 "_nodes": {"total": _CLUSTER_NODES, "successful": _CLUSTER_NODES, "failed": 0},
                 "cluster_name": _CLUSTER_NAME,
@@ -137,10 +147,10 @@ class ESHandler(BaseHTTPRequestHandler):
                                        "build_hash": _ES_BUILD_HASH}},
             })
         elif path.startswith("/_security/") or path.startswith("/_xpack/"):
-            _log("security_probe", src=src, method="GET", path=self.path)
+            _log("security_probe", src=src, method="GET", path=self.path, **self._cred_fields())
             self._send_json(200, {"enabled": True, "available": True})
         else:
-            _log("request", src=src, method="GET", path=self.path)
+            _log("request", src=src, method="GET", path=self.path, **self._cred_fields())
             self._send_json(404, {"error": {"root_cause": [{"type": "index_not_found_exception",
                                                              "reason": "no such index"}]}})
 
@@ -149,7 +159,8 @@ class ESHandler(BaseHTTPRequestHandler):
         body = self._read_body()
         path = self.path.split("?")[0]
         _log("post_request", src=src, method="POST", path=self.path,
-             body_preview=body[:300], user_agent=self.headers.get("User-Agent", ""))
+             body_preview=body[:300], user_agent=self.headers.get("User-Agent", ""),
+             **self._cred_fields())
         if "_search" in path or "_bulk" in path:
             self._send_json(200, {"took": 1, "timed_out": False, "hits": {"total": {"value": 0}, "hits": []}})
         else:
@@ -158,17 +169,20 @@ class ESHandler(BaseHTTPRequestHandler):
     def do_PUT(self):
         src = self.client_address[0]
         body = self._read_body()
-        _log("put_request", src=src, method="PUT", path=self.path, body_preview=body[:300])
+        _log("put_request", src=src, method="PUT", path=self.path,
+             body_preview=body[:300], **self._cred_fields())
         self._send_json(200, {"acknowledged": True})
 
     def do_DELETE(self):
         src = self.client_address[0]
-        _log("delete_request", src=src, method="DELETE", path=self.path)
+        _log("delete_request", src=src, method="DELETE", path=self.path,
+             **self._cred_fields())
         self._send_json(200, {"acknowledged": True})
 
     def do_HEAD(self):
         src = self.client_address[0]
-        _log("head_request", src=src, method="HEAD", path=self.path)
+        _log("head_request", src=src, method="HEAD", path=self.path,
+             **self._cred_fields())
         self._send_json(200, {})
 
     def log_message(self, fmt, *args):