feat: fleet-wide MACVLAN sniffer microservice

Replace per-decky sniffer containers with a single host-side sniffer
that monitors all traffic on the MACVLAN interface. Runs as a background
task in the FastAPI lifespan alongside the collector, fully fault-isolated
so failures never crash the API.

- Add fleet_singleton flag to BaseService; sniffer marked as singleton
- Composer skips fleet_singleton services in compose generation
- Fleet builder excludes singletons from random service assignment
- Extract TLS fingerprinting engine from templates/sniffer/server.py
  into decnet/sniffer/ package (parameterized for fleet-wide use)
- Sniffer worker maps packets to deckies via IP→name state mapping
- Original templates/sniffer/server.py preserved for future use

decnet/sniffer/__init__.py

@@ -0,0 +1,11 @@
+"""
+Fleet-wide MACVLAN sniffer microservice.
+
+Runs as a single host-side background task (not per-decky) that sniffs
+all TLS traffic on the MACVLAN interface, extracts fingerprints, and
+feeds events into the existing log pipeline.
+"""
+
+from decnet.sniffer.worker import sniffer_worker
+
+__all__ = ["sniffer_worker"]