fix(core): close HIGH ASVS findings V7.1.1 and correctness bugs BUG-1..6

- V7.1.1: /swarm/check no longer returns raw exception text; logs detail
  server-side, returns generic 'probe failed'.
- BUG-1: register EditAction -> SSHDriver so edit ticks no longer crash.
- BUG-2: topology reconcile matches generator-named deckies by
  expected-name membership instead of a hyphen heuristic.
- BUG-3: intel provider lookups acquire the per-provider semaphore so
  declared concurrency bounds are enforced.
- BUG-4: RuleIndex.install evicts a rule from kinds it no longer applies to.
- BUG-5: UnixSocketBus.connect() is lock-guarded with a double-check so
  concurrent first-connects open exactly one socket and reader task.
- BUG-6/V5.1.3: multi-token JSON-field search binds each token to a
  distinct parameter instead of collapsing to the last value.

Regression tests added for every fix, verified red-before/green-after.
V4.1.1c/V12.1.1 (updater master-CN gate) and V12.5.1 (tarball include-list)
confirmed already fixed in prior commits and left untouched.

decnet/ttp/impl/_rule_index.py

@@ -68,6 +68,15 @@ class RuleIndex:
         if not rule.applies_to and not rule.emits:
             self.evict(rule.rule_id)
             return
+        # Evict stale kind-buckets for any kinds the updated rule no longer
+        # claims, so re-install with a narrower applies_to doesn't leave
+        # ghost entries in the old buckets.
+        old = self._by_rule.get(rule.rule_id)
+        if old is not None:
+            stale_kinds = old.applies_to - rule.applies_to
+            for kind in stale_kinds:
+                current = self._by_kind.get(kind, [])
+                self._by_kind[kind] = [r for r in current if r.rule_id != rule.rule_id]
         self._by_rule[rule.rule_id] = rule
         for kind in rule.applies_to:
             current = self._by_kind.get(kind, [])