feat: fleet-wide MACVLAN sniffer microservice

Replace per-decky sniffer containers with a single host-side sniffer
that monitors all traffic on the MACVLAN interface. Runs as a background
task in the FastAPI lifespan alongside the collector, fully fault-isolated
so failures never crash the API.

- Add fleet_singleton flag to BaseService; sniffer marked as singleton
- Composer skips fleet_singleton services in compose generation
- Fleet builder excludes singletons from random service assignment
- Extract TLS fingerprinting engine from templates/sniffer/server.py
  into decnet/sniffer/ package (parameterized for fleet-wide use)
- Sniffer worker maps packets to deckies via IP→name state mapping
- Original templates/sniffer/server.py preserved for future use

tests/test_cli_service_pool.py

@@ -10,11 +10,12 @@ from decnet.services.registry import all_services
 ORIGINAL_5 = {"ssh", "smb", "rdp", "http", "ftp"}
 
 
-def test_all_service_names_covers_full_registry():
-    """_all_service_names() must return every service in the registry."""
+def test_all_service_names_covers_per_decky_services():
+    """_all_service_names() must return every per-decky service (not fleet singletons)."""
     pool = set(_all_service_names())
-    registry = set(all_services().keys())
-    assert pool == registry
+    registry = all_services()
+    per_decky = {name for name, svc in registry.items() if not svc.fleet_singleton}
+    assert pool == per_decky
 
 
 def test_all_service_names_is_sorted():