refactor(intel): re-key attacker_intel on attacker_uuid (closes DEBT-041)

The threat-intel surface was IP-keyed on day one as an expedient — the
worker is woken by IP-bearing bus events. ANTI's call: don't carry that
debt. NO IPs as primary keys anywhere on the attacker-intel surface.

Schema:
- attacker_uuid is now the canonical key — UNIQUE + FK to attackers.uuid.
- attacker_ip stays as a denormalised, indexed, NON-UNIQUE value column.
  Updated on every upsert; useful for SIEM payloads and audit lookups,
  but explicitly NOT a key. Model docstring says so.
- Pre-v1, no Alembic migration needed. SQLModel.metadata.create_all()
  builds the new shape on fresh DBs.

Repo:
- upsert_attacker_intel now keys on attacker_uuid.
- get_attacker_intel_by_ip → get_attacker_intel_by_uuid.
- get_unenriched_attacker_ips → get_unenriched_attackers, returning
  [{uuid, ip}] tuples so the worker writes by UUID and dispatches
  provider calls by IP without a second round-trip.

Worker:
- _enrich_one(uuid, ip, ...) — UUID lands on the row, IP rides for
  provider egress.
- attacker.intel.enriched bus payload gains attacker_uuid alongside
  attacker_ip — webhook → SIEM consumers benefit; no removal.

API:
- GET /api/v1/attackers/{ip}/intel deleted outright (rip-and-replace,
  never deployed beyond dev).
- GET /api/v1/attackers/{uuid}/intel is the only public route, matching
  every other /attackers/* route.

Frontend:
- <IntelPanel uuid={id!} /> uses the URL param directly, fetches in
  parallel with the rest of AttackerDetail rather than waiting on
  attacker.ip.

Tests: re-keyed in place, 39 passed (same coverage as before the
refactor). Provider-impl tests untouched.

DEBT-041: closed in DEBT.md (entry preserved as historical rationale,
summary table flipped to ✅, remaining-open list shortened by one).

decnet_web/src/components/AttackerDetail.tsx

@@ -956,6 +956,7 @@ const LeakedIPsRow: React.FC<LeakedIPsRowProps> = ({ leaks, total }) => {
 // fields plus null gaps where a provider hasn't answered yet. We treat
 // every column as optional on the wire.
 type IntelRow = {
+  attacker_uuid: string;
   attacker_ip: string;
   schema_version?: number;
   aggregate_verdict?: 'malicious' | 'suspicious' | 'benign' | 'unknown' | null;
@@ -1013,7 +1014,7 @@ const ProviderRow: React.FC<{
   </div>
 );
 
-const IntelPanel: React.FC<{ ip: string }> = ({ ip }) => {
+const IntelPanel: React.FC<{ uuid: string }> = ({ uuid }) => {
   const [intel, setIntel] = useState<IntelRow | null>(null);
   const [state, setState] = useState<'loading' | 'absent' | 'ok' | 'error'>('loading');
 
@@ -1022,7 +1023,7 @@ const IntelPanel: React.FC<{ ip: string }> = ({ ip }) => {
     const load = async () => {
       setState('loading');
       try {
-        const res = await api.get(`/attackers/${encodeURIComponent(ip)}/intel`);
+        const res = await api.get(`/attackers/${encodeURIComponent(uuid)}/intel`);
         if (!cancelled) {
           setIntel(res.data);
           setState('ok');
@@ -1039,7 +1040,7 @@ const IntelPanel: React.FC<{ ip: string }> = ({ ip }) => {
     };
     load();
     return () => { cancelled = true; };
-  }, [ip]);
+  }, [uuid]);
 
   if (state === 'loading') {
     return (
@@ -1756,13 +1757,13 @@ const AttackerDetail: React.FC = () => {
         );
       })()}
 
-      {/* Threat-Intel Enrichment — keyed by attacker.ip (see DEBT-041) */}
+      {/* Threat-Intel Enrichment — UUID-keyed, fetches in parallel with the parent. */}
       <Section
         title={<><Globe size={14} style={{ verticalAlign: 'middle', marginRight: '6px' }} />THREAT INTEL</>}
         open={openSections.intel}
         onToggle={() => toggle('intel')}
       >
-        <IntelPanel ip={attacker.ip} />
+        <IntelPanel uuid={id!} />
       </Section>
 
       {/* Captured Artifacts */}