feat(attackers): scanned vs. interacted service bucketing on detail page

Adds a new card on AttackerDetail: SCANNED · N services | INTERACTED
WITH · M services. Distinguishes port-scanners (N high, M=0) from
actual engagement (M>0) at a glance — the analyst's first question
when triaging a new attacker row.

Classifier lives in decnet/correlation/event_kinds.py, a single
source of truth for the event-type vocabulary:

- INTERACTION_EVENT_TYPES — command-family (command/exec/query/...),
  SMTP engagement (mail_from/rcpt_to/message_accepted), file/payload
  activity (file_captured/upload/download_attempt/retr), pub/sub
  (publish/subscribe), recorded TTY sessions.
- NOISE_EVENT_TYPES — DECNET-internal (startup/shutdown/parse_error/
  unknown_*).
- Everything else defaults to scan. Conservative by design: new
  template verbs show up as "scanned" until explicitly promoted.

Bucket logic: a service is "interacted" if ≥1 of its events
classifies as interaction; otherwise "scanned" if ≥1 scan event;
noise-only services drop. Disjoint by construction.

Deliberate no-schema path: compute on-the-fly in the detail endpoint
via SELECT DISTINCT service, event_type FROM logs. Small result set
(tens of pairs per attacker), cost is trivial vs. the existing
behavior/commands queries. Trade-off: one more DB round-trip per
detail view in exchange for zero ALTER TABLE migration pain and
immediate classifier-change feedback loop.

Profiler's _COMMAND_EVENT_TYPES stays as-is (strict subset of
interactions that carry executable text), with a comment pointing at
the new canonical module.

Closes DEVELOPMENT.md "Attacker Intelligence §Service-Level Behavioral
Profiling — Services actively interacted with".

decnet_web/src/components/AttackerDetail.tsx

@@ -63,6 +63,10 @@ interface AttackerData {
   country_source: string | null;
   updated_at: string;
   behavior: AttackerBehavior | null;
+  service_activity?: {
+    interacted: string[];
+    scanned: string[];
+  };
 }
 
 // ─── Fingerprint rendering ───────────────────────────────────────────────────
@@ -944,6 +948,40 @@ const AttackerDetail: React.FC = () => {
         </div>
       </div>
 
+      {/* Scanned vs. Interacted — activity-depth signal */}
+      {attacker.service_activity &&
+        (attacker.service_activity.scanned.length > 0 ||
+         attacker.service_activity.interacted.length > 0) && (
+        <div className="stats-grid" style={{ gridTemplateColumns: 'repeat(2, 1fr)' }}>
+          <div
+            className="stat-card"
+            title={
+              attacker.service_activity.scanned.length > 0
+                ? `Services: ${attacker.service_activity.scanned.join(', ')}`
+                : 'No services were scanned without engagement.'
+            }
+          >
+            <div className="stat-value matrix-text">
+              {attacker.service_activity.scanned.length}
+            </div>
+            <div className="stat-label">SCANNED · SERVICES</div>
+          </div>
+          <div
+            className="stat-card"
+            title={
+              attacker.service_activity.interacted.length > 0
+                ? `Services: ${attacker.service_activity.interacted.join(', ')}`
+                : 'No services were interacted with — scan-only attacker.'
+            }
+          >
+            <div className="stat-value violet-accent">
+              {attacker.service_activity.interacted.length}
+            </div>
+            <div className="stat-label">INTERACTED WITH · SERVICES</div>
+          </div>
+        </div>
+      )}
+
       {/* Timestamps */}
       <Section title="TIMELINE" open={openSections.timeline} onToggle={() => toggle('timeline')}>
         <div style={{ padding: '16px', display: 'flex', flexWrap: 'wrap', gap: '32px', fontSize: '0.85rem' }}>