fix(packaging): move templates/ into decnet/ package so they ship with pip install

The docker build contexts and syslog_bridge.py lived at repo root, which
meant setuptools (include = ["decnet*"]) never shipped them. Agents
installed via `pip install $RELEASE_DIR` got site-packages/decnet/** but no
templates/, so every deploy blew up in deployer._sync_logging_helper with
FileNotFoundError on templates/syslog_bridge.py.

Move templates/ -> decnet/templates/ and declare it as setuptools
package-data. Path resolutions in services/*.py and engine/deployer.py drop
one .parent since templates now lives beside the code. Test fixtures,
bandit exclude path, and coverage omit glob updated to match.

decnet/templates/llmnr/Dockerfile

@@ -0,0 +1,24 @@
+ARG BASE_IMAGE=debian:bookworm-slim
+FROM ${BASE_IMAGE}
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY syslog_bridge.py /opt/syslog_bridge.py
+COPY server.py /opt/server.py
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 5355/udp
+EXPOSE 5353/udp
+RUN useradd -r -s /bin/false -d /opt logrelay \
+ && apt-get update && apt-get install -y --no-install-recommends libcap2-bin \
+ && rm -rf /var/lib/apt/lists/* \
+ && (find /usr/bin/ -maxdepth 1 -name 'python3*' -type f -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true)
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD kill -0 1 || exit 1
+
+USER logrelay
+ENTRYPOINT ["/entrypoint.sh"]

decnet/templates/llmnr/entrypoint.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -e
+exec python3 /opt/server.py

decnet/templates/llmnr/server.py

@@ -0,0 +1,113 @@
+#!/usr/bin/env python3
+"""
+LLMNR / mDNS poisoning detector (UDP 5355 and UDP 5353).
+Listens for any incoming name-resolution queries. Any traffic here is a
+strong signal of an attacker running Responder or similar tools on the LAN.
+Logs every packet with source IP and decoded query name where possible.
+"""
+
+import asyncio
+import os
+import struct
+from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
+
+NODE_NAME = os.environ.get("NODE_NAME", "lan-host")
+SERVICE_NAME   = "llmnr"
+LOG_TARGET = os.environ.get("LOG_TARGET", "")
+
+
+
+
+def _log(event_type: str, severity: int = 6, **kwargs) -> None:
+    line = syslog_line(SERVICE_NAME, NODE_NAME, event_type, severity, **kwargs)
+    write_syslog_file(line)
+    forward_syslog(line, LOG_TARGET)
+
+
+def _decode_dns_name(data: bytes, offset: int) -> str:
+    """Decode a DNS-encoded label sequence starting at offset."""
+    labels = []
+    visited = set()
+    pos = offset
+    while pos < len(data):
+        if pos in visited:
+            break
+        visited.add(pos)
+        length = data[pos]
+        if length == 0:
+            break
+        if length & 0xc0 == 0xc0:  # pointer
+            if pos + 1 >= len(data):
+                break
+            ptr = ((length & 0x3f) << 8) | data[pos + 1]
+            labels.append(_decode_dns_name(data, ptr))
+            break
+        pos += 1
+        labels.append(data[pos:pos + length].decode(errors="replace"))
+        pos += length
+    return ".".join(labels)
+
+
+def _parse_query(data: bytes, proto: str, src_addr) -> None:
+    """Parse DNS/LLMNR/mDNS query and log the queried name."""
+    try:
+        if len(data) < 12:
+            raise ValueError("too short")
+        flags = struct.unpack(">H", data[2:4])[0]
+        qr = (flags >> 15) & 1
+        qdcount = struct.unpack(">H", data[4:6])[0]
+        if qr != 0 or qdcount < 1:
+            return  # not a query or no questions
+        name = _decode_dns_name(data, 12)
+        pos = 12
+        while pos < len(data) and data[pos] != 0:
+            pos += data[pos] + 1
+        pos += 1
+        qtype = struct.unpack(">H", data[pos:pos + 2])[0] if pos + 2 <= len(data) else 0
+        _log(
+            "query",
+            proto=proto,
+            src=src_addr[0],
+            src_port=src_addr[1],
+            name=name,
+            qtype=qtype,
+        )
+    except Exception as e:
+        _log("raw_packet", proto=proto, src=src_addr[0], data=data[:64].hex(), error=str(e))
+
+
+class LLMNRProtocol(asyncio.DatagramProtocol):
+    def __init__(self, proto_label: str):
+        self._proto = proto_label
+
+    def datagram_received(self, data, addr):
+        _parse_query(data, self._proto, addr)
+
+    def error_received(self, exc):
+        pass
+
+
+async def main():
+    _log("startup", msg=f"LLMNR/mDNS server starting as {NODE_NAME}")
+    loop = asyncio.get_running_loop()
+
+    # LLMNR: UDP 5355
+    llmnr_transport, _ = await loop.create_datagram_endpoint(
+        lambda: LLMNRProtocol("LLMNR"),
+        local_addr=("0.0.0.0", 5355),  # nosec B104
+    )
+    # mDNS: UDP 5353
+    mdns_transport, _ = await loop.create_datagram_endpoint(
+        lambda: LLMNRProtocol("mDNS"),
+        local_addr=("0.0.0.0", 5353),  # nosec B104
+    )
+
+    try:
+        await asyncio.sleep(float("inf"))
+    finally:
+        llmnr_transport.close()
+        mdns_transport.close()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

decnet/templates/llmnr/syslog_bridge.py

@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+"""
+Shared RFC 5424 syslog helper used by service containers.
+
+Services call syslog_line() to format an RFC 5424 message, then
+write_syslog_file() to emit it to stdout — the container runtime
+captures it, and the host-side collector streams it into the log file.
+
+RFC 5424 structure:
+  <PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
+
+Facility: local0 (16). SD element ID uses PEN 55555.
+"""
+
+from datetime import datetime, timezone
+from typing import Any
+
+# ─── Constants ────────────────────────────────────────────────────────────────
+
+_FACILITY_LOCAL0 = 16
+_SD_ID = "relay@55555"
+_NILVALUE = "-"
+
+SEVERITY_EMERG   = 0
+SEVERITY_ALERT   = 1
+SEVERITY_CRIT    = 2
+SEVERITY_ERROR   = 3
+SEVERITY_WARNING = 4
+SEVERITY_NOTICE  = 5
+SEVERITY_INFO    = 6
+SEVERITY_DEBUG   = 7
+
+_MAX_HOSTNAME = 255
+_MAX_APPNAME  = 48
+_MAX_MSGID    = 32
+
+# ─── Formatter ────────────────────────────────────────────────────────────────
+
+def _sd_escape(value: str) -> str:
+    """Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
+    return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
+
+
+def _sd_element(fields: dict[str, Any]) -> str:
+    if not fields:
+        return _NILVALUE
+    params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
+    return f"[{_SD_ID} {params}]"
+
+
+def syslog_line(
+    service: str,
+    hostname: str,
+    event_type: str,
+    severity: int = SEVERITY_INFO,
+    timestamp: datetime | None = None,
+    msg: str | None = None,
+    **fields: Any,
+) -> str:
+    """
+    Return a single RFC 5424-compliant syslog line (no trailing newline).
+
+    Args:
+        service:    APP-NAME (e.g. "http", "mysql")
+        hostname:   HOSTNAME (node name)
+        event_type: MSGID    (e.g. "request", "login_attempt")
+        severity:   Syslog severity integer (default: INFO=6)
+        timestamp:  UTC datetime; defaults to now
+        msg:        Optional free-text MSG
+        **fields:   Encoded as structured data params
+    """
+    pri     = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
+    ts      = (timestamp or datetime.now(timezone.utc)).isoformat()
+    host    = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
+    appname = (service  or _NILVALUE)[:_MAX_APPNAME]
+    msgid   = (event_type or _NILVALUE)[:_MAX_MSGID]
+    sd      = _sd_element(fields)
+    message = f" {msg}" if msg else ""
+    return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
+
+
+def write_syslog_file(line: str) -> None:
+    """Emit a syslog line to stdout for container log capture."""
+    print(line, flush=True)
+
+
+def forward_syslog(line: str, log_target: str) -> None:
+    """No-op stub. TCP forwarding is handled by rsyslog, not by service containers."""
+    pass