feat(prober-cert): schema for active TLS cert capture

Adds storage for TLS certificate details collected from attacker-run
servers by the active prober (sibling to the existing JARM probe).

- AttackerIdentity.tls_cert_sha256 / Campaign.tls_cert_sha256:
  JSON list[str] columns mirroring ja3_hashes / hassh_hashes for
  federation gossip.
- ingester clause 9b: emits a 'tls_certificate' fingerprint bounty
  when a prober event carries subject_cn (disjoint from the existing
  sniffer-gated clause).
- Prober-side capture (ssl.wrap_socket follow-up after JARM) and
  profiler rollup land in sibling commits.

decnet/web/db/models/attackers.py

@@ -154,6 +154,14 @@ class AttackerIdentity(SQLModel, table=True):
     hassh_hashes: Optional[str] = Field(
         default=None, sa_column=Column("hassh_hashes", Text, nullable=True)
     )
+    # JSON list[str] — SHA-256 fingerprints of leaf certs presented by
+    # attacker-run TLS servers, captured by the active prober alongside
+    # JARM. Same federation-gossip rationale as ja3_hashes/hassh_hashes:
+    # a self-signed cert reused across C2 nodes is an instant cluster-link
+    # signal, and TEXT keeps MySQL indexable via prefix length.
+    tls_cert_sha256: Optional[str] = Field(
+        default=None, sa_column=Column("tls_cert_sha256", Text, nullable=True)
+    )
     # Payload SimHash list — 64-bit ints serialized as hex strings.
     # SimHashes are Hamming-comparable, which is the entire reason
     # they're a list (not a set).