feat: Phase 1 — JA3/JA3S sniffer, Attacker model, profile worker

Add passive TLS fingerprinting via a sniffer container on the MACVLAN
interface, plus the Attacker table and periodic rebuild worker that
correlates per-IP profiles from Log + Bounty + CorrelationEngine.

- templates/sniffer/: Scapy sniffer with pure-Python TLS parser;
  emits tls_client_hello / tls_session RFC 5424 lines with ja3, ja3s,
  sni, alpn, raw_ciphers, raw_extensions; GREASE filtered per RFC 8701
- decnet/services/sniffer.py: service plugin (no ports, NET_RAW/NET_ADMIN)
- decnet/web/db/models.py: Attacker SQLModel table + AttackersResponse
- decnet/web/db/repository.py: 5 new abstract methods
- decnet/web/db/sqlite/repository.py: implement all 5 (upsert, pagination,
  sort by recent/active/traversals, bounty grouping)
- decnet/web/attacker_worker.py: 30s periodic rebuild via CorrelationEngine;
  extracts commands from log fields, merges fingerprint bounties
- decnet/web/api.py: wire attacker_profile_worker into lifespan
- decnet/web/ingester.py: extract JA3 bounty (fingerprint_type=ja3)
- development/DEVELOPMENT.md: full attacker intelligence collection roadmap
- pyproject.toml: scapy>=2.6.1 added to dev deps
- tests: test_sniffer_ja3.py (40+ vectors), test_attacker_worker.py,
  test_base_repo.py / test_web_api.py updated for new surface

decnet/web/api.py

@@ -14,16 +14,18 @@ from decnet.logging import get_logger
 from decnet.web.dependencies import repo
 from decnet.collector import log_collector_worker
 from decnet.web.ingester import log_ingestion_worker
+from decnet.web.attacker_worker import attacker_profile_worker
 from decnet.web.router import api_router
 
 log = get_logger("api")
 ingestion_task: Optional[asyncio.Task[Any]] = None
 collector_task: Optional[asyncio.Task[Any]] = None
+attacker_task: Optional[asyncio.Task[Any]] = None
 
 
 @asynccontextmanager
 async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
-    global ingestion_task, collector_task
+    global ingestion_task, collector_task, attacker_task
 
     log.info("API startup initialising database")
     for attempt in range(1, 6):
@@ -51,13 +53,18 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
             log.debug("API startup collector worker started log_file=%s", _log_file)
         elif not _log_file:
             log.warning("DECNET_INGEST_LOG_FILE not set — Docker log collection disabled.")
+
+        # Start attacker profile rebuild worker
+        if attacker_task is None or attacker_task.done():
+            attacker_task = asyncio.create_task(attacker_profile_worker(repo))
+            log.debug("API startup attacker profile worker started")
     else:
         log.info("Contract Test Mode: skipping background worker startup")
 
     yield
 
     log.info("API shutdown cancelling background tasks")
-    for task in (ingestion_task, collector_task):
+    for task in (ingestion_task, collector_task, attacker_task):
         if task and not task.done():
             task.cancel()
             try: