feat(correlation): credential-reuse engine + reuse-correlate worker

Adds CorrelationEngine.correlate_credential_reuse + the
`decnet reuse-correlate` long-running worker. The worker mirrors the
mutator's bus-wake + slow-tick pattern: wakes on credential.captured
and attacker.observed for sub-second latency, falls back to a 60s
poll if the bus is unavailable, and publishes
credential.reuse.detected once per new or grown CredentialReuse row
(group-deduped so a 5-cred reuse doesn't emit 5 partial events).

The web ingester now publishes credential.captured after every
successful Credential upsert; bus + new repo helper
find_credential_reuse_candidates feed the engine pass.

decnet/web/db/repository.py

@@ -179,6 +179,18 @@ class BaseRepository(ABC):
         """
         pass
 
+    @abstractmethod
+    async def find_credential_reuse_candidates(
+        self, min_targets: int = 2
+    ) -> list[dict[str, Any]]:
+        """Group ``credentials`` by ``(secret_sha256, secret_kind, principal)``
+        and return groups whose distinct ``(decky_name, service)`` count is
+        at least *min_targets*. Each entry has the group key, the
+        ``target_count``, and the underlying credential rows for the
+        correlator to fold into ``CredentialReuse``.
+        """
+        pass
+
     @abstractmethod
     async def list_credential_reuses(
         self,

decnet/web/db/sqlmodel_repo.py

@@ -849,6 +849,54 @@ class SQLModelRepository(BaseRepository):
             d["changed"] = changed
             return d
 
+    async def find_credential_reuse_candidates(
+        self, min_targets: int = 2
+    ) -> List[dict[str, Any]]:
+        """Find credential groups crossing the reuse threshold.
+
+        Returns one dict per qualifying ``(secret_sha256, secret_kind,
+        principal)`` group, with the keys plus a ``credentials`` list of
+        the underlying rows so the correlator can fold each into
+        ``CredentialReuse`` via ``upsert_credential_reuse``.
+        """
+        target_expr = func.count(
+            func.distinct(Credential.decky_name + ":" + Credential.service)
+        ).label("target_count")
+        async with self._session() as session:
+            group_stmt = (
+                select(
+                    Credential.secret_sha256,
+                    Credential.secret_kind,
+                    Credential.principal,
+                    target_expr,
+                )
+                .group_by(
+                    Credential.secret_sha256,
+                    Credential.secret_kind,
+                    Credential.principal,
+                )
+                .having(target_expr >= int(min_targets))
+            )
+            groups = (await session.execute(group_stmt)).all()
+            out: List[dict[str, Any]] = []
+            for sha, kind, principal, target_count in groups:
+                cred_stmt = select(Credential).where(
+                    Credential.secret_sha256 == sha,
+                    Credential.secret_kind == kind,
+                    (Credential.principal == principal)
+                    if principal is not None
+                    else Credential.principal.is_(None),
+                )
+                rows = (await session.execute(cred_stmt)).scalars().all()
+                out.append({
+                    "secret_sha256": sha,
+                    "secret_kind": kind,
+                    "principal": principal,
+                    "target_count": int(target_count or 0),
+                    "credentials": [r.model_dump(mode="json") for r in rows],
+                })
+            return out
+
     async def list_credential_reuses(
         self,
         limit: int = 50,