feat(tarpit): port-selective tc netem tarpit mode with live log events

- GET/POST/DELETE /api/v1/deckies/{name}/tarpit (admin write, viewer GET)
- get_container_veth() + get_container_pid() in network.py via iflink/ip-link
- TarpitRule SQLModel table + TarpitMixin repo (upsert/get/delete/list)
- Background tarpit_watcher_worker: polls /proc/{pid}/net/tcp every 15s,
  emits tarpit_enter/tarpit_exit log events (edge-triggered, with duration)
- tarpit_enabled/tarpit_disabled logs on operator POST/DELETE actions

decnet/web/db/models/__init__.py

@@ -179,6 +179,12 @@ from .workers import (
     WorkersResponse,
     WorkerStatus,
 )
+from .tarpit import (
+    TarpitEnableRequest,
+    TarpitRule,
+    TarpitRuleResponse,
+    TarpitStatusResponse,
+)
 
 __all__ = [
     # _base
@@ -334,4 +340,9 @@ __all__ = [
     "WorkerControlResponse",
     "WorkersResponse",
     "WorkerStatus",
+    # tarpit
+    "TarpitEnableRequest",
+    "TarpitRule",
+    "TarpitRuleResponse",
+    "TarpitStatusResponse",
 ]

decnet/web/db/models/tarpit.py

@@ -0,0 +1,44 @@
+"""Tarpit rule table + HTTP request/response shapes."""
+from datetime import datetime, timezone
+from typing import Any
+
+from pydantic import BaseModel, Field as PydanticField
+from sqlmodel import Field, SQLModel
+
+
+class TarpitRule(SQLModel, table=True):
+    """One active tarpit rule — one per decky at a time.
+
+    ``ports`` is JSON-encoded (e.g. ``"[22, 80]"``).  One row per decky;
+    ``set_tarpit_rule`` upserts on ``decky_name`` so re-enabling with
+    different parameters replaces the old rule.
+    """
+    __tablename__ = "tarpit_rules"
+
+    id: str = Field(primary_key=True)
+    decky_name: str = Field(index=True, unique=True)
+    ports: str          # JSON list[int]
+    delay_ms: int
+    created_at: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc)
+    )
+    created_by: str     # operator UUID from JWT
+
+
+class TarpitEnableRequest(BaseModel):
+    ports: list[int] = PydanticField(..., min_length=1)
+    delay_ms: int = PydanticField(..., ge=100, le=300_000)
+
+
+class TarpitRuleResponse(BaseModel):
+    id: str
+    decky_name: str
+    ports: list[int]
+    delay_ms: int
+    created_at: datetime
+    created_by: str
+
+
+class TarpitStatusResponse(BaseModel):
+    rule: TarpitRuleResponse
+    active_connections: list[dict[str, Any]]

decnet/web/db/sqlmodel_repo/__init__.py

@@ -48,6 +48,7 @@ from decnet.web.db.sqlmodel_repo.orchestrator import OrchestratorMixin
 from decnet.web.db.sqlmodel_repo.realism import RealismMixin
 from decnet.web.db.sqlmodel_repo.swarm import SwarmMixin
 from decnet.web.db.sqlmodel_repo.topology import TopologyMixin
+from decnet.web.db.sqlmodel_repo.tarpit import TarpitMixin
 from decnet.web.db.sqlmodel_repo.webhooks import WebhooksMixin
 
 
@@ -66,6 +67,7 @@ class SQLModelRepository(
     OrchestratorMixin,
     RealismMixin,
     SwarmMixin,
+    TarpitMixin,
     TopologyMixin,
     WebhooksMixin,
     BaseRepository,

decnet/web/db/sqlmodel_repo/tarpit.py

@@ -0,0 +1,70 @@
+"""Tarpit rule CRUD."""
+from __future__ import annotations
+
+import json
+import uuid
+from datetime import datetime, timezone
+from typing import Any, Optional
+
+from sqlalchemy import select
+
+from decnet.web.db.models import TarpitRule
+
+
+class TarpitMixin:
+    """Mixin: composed onto ``SQLModelRepository``."""
+
+    async def set_tarpit_rule(self, data: dict[str, Any]) -> None:
+        """Upsert a tarpit rule keyed on ``decky_name`` (one rule per decky)."""
+        async with self._session() as session:
+            result = await session.execute(
+                select(TarpitRule).where(TarpitRule.decky_name == data["decky_name"])
+            )
+            existing = result.scalar_one_or_none()
+            if existing:
+                for k, v in data.items():
+                    setattr(existing, k, v)
+                session.add(existing)
+            else:
+                payload = {
+                    "id": str(uuid.uuid4()),
+                    "created_at": datetime.now(timezone.utc),
+                    **data,
+                }
+                session.add(TarpitRule(**payload))
+            await session.commit()
+
+    async def get_tarpit_rule(self, decky_name: str) -> Optional[dict[str, Any]]:
+        async with self._session() as session:
+            result = await session.execute(
+                select(TarpitRule).where(TarpitRule.decky_name == decky_name)
+            )
+            row = result.scalar_one_or_none()
+            if row is None:
+                return None
+            d = row.model_dump(mode="json")
+            d["ports"] = json.loads(d["ports"])
+            return d
+
+    async def delete_tarpit_rule(self, decky_name: str) -> bool:
+        async with self._session() as session:
+            result = await session.execute(
+                select(TarpitRule).where(TarpitRule.decky_name == decky_name)
+            )
+            row = result.scalar_one_or_none()
+            if row is None:
+                return False
+            await session.delete(row)
+            await session.commit()
+            return True
+
+    async def list_tarpit_rules(self) -> list[dict[str, Any]]:
+        async with self._session() as session:
+            result = await session.execute(select(TarpitRule))
+            rows = result.scalars().all()
+            out = []
+            for row in rows:
+                d = row.model_dump(mode="json")
+                d["ports"] = json.loads(d["ports"])
+                out.append(d)
+            return out