feat(ttp): fail-closed validation that lifter+UKC IDs resolve in ATT&CK bundle

Drift between the technique/tactic IDs hardcoded in the lifters and
what the loaded ATT&CK STIX bundle actually contains is silent in the
status quo: a renamed-or-retired technique just stops being tagged.
Every emission point now has an explicit validator that asserts its
IDs resolve in the loaded bundle, called once at TTP-worker boot.

- intel_lifter.all_emitted_technique_ids() collects every technique
  the four provider tables (AbuseIPDB / GreyNoise / Feodo / ThreatFox)
  plus the decision-flow constants in _greynoise_decisions and
  _feodo_decisions can emit. validate_against_attack_bundle() runs it
  through attack_stix.assert_known_technique_ids().
- ukc.validate_against_attack_bundle() asserts every key in
  ATTACK_TACTIC_TO_UKC resolves, with TA0100..TA0106 documented as
  _NON_ENTERPRISE_TACTICS (lives in the ICS bundle, not the
  enterprise bundle DECNET loads).
- decnet/ttp/worker.py:run_ttp_worker_loop calls both validators
  before subscribing to the bus. A bundle-vs-code mismatch refuses
  to start the worker rather than silently mistagging events.
- tests/ttp/test_attack_bundle_validation.py covers the happy path
  for both validators, the negative path (injected bogus tactic ID
  raises AttackBundleError), the ICS exemption, and the lone T1078
  reference in credential_lifter.

decnet/ttp/impl/intel_lifter.py

@@ -375,7 +375,40 @@ def _emit_filtered(
     return out
 
 
-__all__ = ["IntelLifter"]
+def all_emitted_technique_ids() -> frozenset[str]:
+    """Every technique ID this lifter could emit, drawn from all four provider tables.
+
+    Used by :func:`validate_against_attack_bundle` (and
+    :mod:`tests.ttp.test_attack_catalog`-adjacent tests) to assert that
+    every provider-driven emission resolves in the loaded ATT&CK STIX
+    bundle. Includes the bare-classification emissions in
+    ``_greynoise_decisions`` and the unconditional emissions in
+    ``_feodo_decisions`` — those don't appear in the lookup tables
+    above because they're decision-flow constants, not table entries.
+    """
+    ids: set[str] = set()
+    for techs in _ABUSEIPDB_CATEGORY_TO_TECHNIQUES.values():
+        ids.update(techs)
+    for techs in _GREYNOISE_TAG_TO_TECHNIQUES.values():
+        ids.update(techs)
+    for techs in _THREATFOX_THREAT_TYPE_TO_TECHNIQUES.values():
+        ids.update(techs)
+    # Decision-flow constants (see _greynoise_decisions, _feodo_decisions).
+    ids.update({"T1071", "T1595", "T1588"})
+    return frozenset(ids)
+
+
+def validate_against_attack_bundle() -> None:
+    """Assert every technique ID this lifter could emit resolves in the loaded ATT&CK STIX bundle."""
+    from decnet.ttp.attack_stix import assert_known_technique_ids
+
+    assert_known_technique_ids(
+        list(all_emitted_technique_ids()),
+        source="decnet.ttp.impl.intel_lifter",
+    )
+
+
+__all__ = ["IntelLifter", "all_emitted_technique_ids", "validate_against_attack_bundle"]
 
 
 # Suppress unused-import lint; emit_tags is exposed for parity with the

decnet/ttp/worker.py

@@ -248,6 +248,21 @@ async def run_ttp_worker_loop(
     """
     if tagger is None:
         tagger = get_tagger()
+
+    # Fail closed at boot if any technique/tactic the worker can emit
+    # is missing from the loaded ATT&CK STIX bundle. The bundle is the
+    # canonical source of truth (see decnet/ttp/attack_stix.py) — drift
+    # between the pinned version and what the lifters reference would
+    # silently mistag thousands of events. We run this once per worker
+    # process; the underlying bundle load is itself memoised.
+    from decnet.clustering.ukc import validate_against_attack_bundle as _validate_ukc
+    from decnet.ttp.impl.intel_lifter import (
+        validate_against_attack_bundle as _validate_intel,
+    )
+
+    _validate_intel()
+    _validate_ukc()
+
     log.info(
         "ttp worker started tagger=%s poll_interval_secs=%s topics=%d",
         tagger.name, poll_interval_secs, len(_TOPICS),