feat(correlation): credential-reuse engine + reuse-correlate worker

Adds CorrelationEngine.correlate_credential_reuse + the
`decnet reuse-correlate` long-running worker. The worker mirrors the
mutator's bus-wake + slow-tick pattern: wakes on credential.captured
and attacker.observed for sub-second latency, falls back to a 60s
poll if the bus is unavailable, and publishes
credential.reuse.detected once per new or grown CredentialReuse row
(group-deduped so a 5-cred reuse doesn't emit 5 partial events).

The web ingester now publishes credential.captured after every
successful Credential upsert; bus + new repo helper
find_credential_reuse_candidates feed the engine pass.

decnet/web/db/repository.py

@@ -179,6 +179,18 @@ class BaseRepository(ABC):
         """
         pass
 
+    @abstractmethod
+    async def find_credential_reuse_candidates(
+        self, min_targets: int = 2
+    ) -> list[dict[str, Any]]:
+        """Group ``credentials`` by ``(secret_sha256, secret_kind, principal)``
+        and return groups whose distinct ``(decky_name, service)`` count is
+        at least *min_targets*. Each entry has the group key, the
+        ``target_count``, and the underlying credential rows for the
+        correlator to fold into ``CredentialReuse``.
+        """
+        pass
+
     @abstractmethod
     async def list_credential_reuses(
         self,