feat(prober): vendor p0f v2 TCP/IP fingerprint database (LGPL-2.1 → GPLv3 via §3)

Ships the p0f v2.0.8 signature database for passive + active OS
fingerprinting. 375 total signatures across four probe contexts:

- p0f.fp  (262 sigs) — passive SYN fingerprints
- p0fa.fp ( 61 sigs) — SYN-ACK response, for active probes
- p0fr.fp ( 46 sigs) — RST response quirks
- p0fo.fp (  6 sigs) — "stray" packet fingerprints

Replaces reliance on the 10-signature hand-rolled p0f-lite table in
decnet/sniffer/p0f.py for any match job the upstream DB covers.
Keeping the hand-rolled table as a fallback for modern kernels the
v2 DB pre-dates — v2 froze in 2006 so post-Win10 / post-Linux-3.x
kernels won't match against upstream directly. DECNET-authored
additions will go in a sibling p0f-decnet.fp under GPLv3 (not yet
committed; added as the ingester observes real honeypot traffic).

Provenance (full chain in data/README.md):

- Source: Debian snapshot of p0f_2.0.8.orig.tar.gz
- SHA1 matches Debian-recorded 7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875
- Files byte-identical to upstream tarball (verified by hash)

License chain:

- Upstream: LGPL-2.1 (doc/COPYING preserved verbatim as
  data/LICENSE.p0f-upstream, Michal Zalewski's copyright intact).
- DECNET uses the LGPL-2.1 §3 explicit permission to convert to any
  version of the GPL. These files, as consumed in DECNET, are
  effectively GPL-3.0. Chain documented in data/README.md so an
  auditor sees the full reasoning.
- LGPL-2.1 → GPL-3.0 §3 conversion is a settled compat path; same
  mechanism the kernel uses for LGPL userland glue and many other
  projects apply daily.

Rejected path — nmap-os-db under NPSL — because NPSL adds
restrictions GPLv3 §7 prohibits us from accepting. An email is out
to Fyodor requesting an open-source-author exception grant, but we
don't block on it: p0f v2 is a genuine accuracy improvement in
its own right, and adding nmap-osdb later (if granted) plugs into
the same provider interface with zero refactor.

Directory layout mirrors the established provider-subpackage pattern
(see decnet/geoip/, decnet/bus/) per the feedback_provider_
subpackages memory: base + factory + impl/ subpackages, no flat
files. Parser + matcher + factory wiring land in the next commit
sequence.

decnet/prober/osfp/p0f/data/README.md

@@ -0,0 +1,72 @@
+# p0f v2 fingerprint database (vendored)
+
+This directory contains the p0f v2.0.8 TCP/IP fingerprint database as
+published by Michal Zalewski in 2006, vendored here so DECNET's prober
+and profiler can do passive / active OS fingerprinting without a runtime
+network fetch.
+
+## What's in here
+
+| File                  | Purpose                                       | Sigs |
+|-----------------------|-----------------------------------------------|------|
+| `p0f.fp`              | SYN fingerprints (passive, incoming)          | 262  |
+| `p0fa.fp`             | SYN-ACK fingerprints (active probe responses) |  61  |
+| `p0fr.fp`             | RST+ fingerprints (reset-response quirks)     |  46  |
+| `p0fo.fp`             | "stray" fingerprints                          |   6  |
+| `LICENSE.p0f-upstream`| Verbatim LGPL-2.1 text from upstream          | —    |
+
+## Provenance
+
+**Authoritative source:** Debian snapshot archive, `p0f_2.0.8.orig.tar.gz`.
+
+- Archive URL: `https://snapshot.debian.org/archive/debian-archive/20120328T092752Z/debian/pool/main/p/p0f/p0f_2.0.8.orig.tar.gz`
+- SHA-1 (upstream-recorded by Debian): `7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875`
+
+Files in this directory are byte-identical copies of the corresponding
+files inside `p0f_2.0.8.orig.tar.gz::p0f/{doc/COPYING, *.fp}`.
+
+## License + DECNET-side licensing stance
+
+Upstream files are licensed under the **GNU Lesser General Public
+License, version 2.1** (see `LICENSE.p0f-upstream` — verbatim copy of
+upstream's `doc/COPYING`). Attribution belongs to Michal Zalewski and
+the named contributors in the original upstream `CREDITS` file.
+
+DECNET is licensed under **GPL-3.0-or-later**. LGPL-2.1 §3 explicitly
+permits converting an LGPL-2.1 work to any version of the GPL at the
+recipient's choice. DECNET exercises that conversion for the vendored
+files: when consumed as part of DECNET they are effectively under
+GPL-3.0. The upstream LGPL-2.1 notice is preserved so:
+
+- Recipients of DECNET see the full chain (original LGPL-2.1 → §3
+  conversion → GPL-3.0), and
+- Anyone who wants to use these signatures under LGPL-2.1 terms
+  (e.g. in an unrelated library) can still do so by pulling the files
+  directly from upstream.
+
+## Modifications to upstream
+
+**None.** The four `.fp` files in this directory are verbatim copies.
+Any DECNET-authored additions go into a sibling file (`p0f-decnet.fp`,
+currently absent) under GPL-3.0, loaded by the same parser. Keeping
+upstream untouched means:
+
+1. Syncing future upstream changes is a one-step file replacement.
+2. Attribution is unambiguous: entries in `p0f*.fp` here are Michal's,
+   entries in `p0f-decnet.fp` are DECNET's.
+3. If we ever want to contribute signatures back to upstream, it's a
+   one-file diff.
+
+## Refreshing upstream
+
+```
+curl -O https://snapshot.debian.org/archive/debian-archive/20120328T092752Z/debian/pool/main/p/p0f/p0f_2.0.8.orig.tar.gz
+echo "7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875  p0f_2.0.8.orig.tar.gz" | sha1sum -c
+tar xzf p0f_2.0.8.orig.tar.gz
+cp p0f/p0f.fp p0f/p0fa.fp p0f/p0fr.fp p0f/p0fo.fp decnet/prober/osfp/p0f/data/
+cp p0f/doc/COPYING decnet/prober/osfp/p0f/data/LICENSE.p0f-upstream
+```
+
+p0f v2 is no longer actively maintained upstream (last release 2006),
+so refreshes are effectively N/A — but the procedure is recorded for
+the case where a mirror we trust publishes a signed rebuild.