feat(tarpit): port-selective tc netem tarpit mode with live log events

- GET/POST/DELETE /api/v1/deckies/{name}/tarpit (admin write, viewer GET)
- get_container_veth() + get_container_pid() in network.py via iflink/ip-link
- TarpitRule SQLModel table + TarpitMixin repo (upsert/get/delete/list)
- Background tarpit_watcher_worker: polls /proc/{pid}/net/tcp every 15s,
  emits tarpit_enter/tarpit_exit log events (edge-triggered, with duration)
- tarpit_enabled/tarpit_disabled logs on operator POST/DELETE actions

decnet/web/router/deckies/__init__.py

@@ -18,6 +18,7 @@ from .api_services import (
     fleet_services_router,
     topology_services_router,
 )
+from .api_tarpit import router as tarpit_router
 
 deckies_router = APIRouter()
 deckies_router.include_router(file_drop_router)
@@ -27,5 +28,6 @@ deckies_router.include_router(fleet_services_router)
 # umbrella because the *operation* (add/remove a service on a deployed
 # decky) is identical; only the addressing scheme differs.
 deckies_router.include_router(topology_services_router)
+deckies_router.include_router(tarpit_router)
 
 __all__ = ["deckies_router"]