fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:

1. MQTT — was working through the legacy adapter, silently dropped
   when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
   alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
   challenge-response the attacker sent. Plaintext irrecoverable, so
   it never fit the (principal, secret_b64=raw_bytes) shape. Lands
   in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
   DES-encrypted challenge. Same situation as Postgres: plaintext
   irrecoverable. Lands as secret_kind="vnc_des_response".

Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.

The model now genuinely covers every cred-emitting service in the
fleet:

  plaintext        SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
                   MQTT
  postgres_md5_*   Postgres
  vnc_des_response VNC

Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.

40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.

tests/db/test_credentials.py

@@ -123,6 +123,32 @@ async def test_get_credentials_for_attacker(repo) -> None:
     assert rows[0]["attacker_ip"] == "10.0.0.5"
 
 
+@pytest.mark.anyio
+async def test_secret_kind_dedups_independently(repo) -> None:
+    """Same sha256, same principal — different secret_kind = different row.
+
+    Two rows with the same content-addressable hash but different kinds
+    represent fundamentally different credentials (e.g. a plaintext
+    password that happens to hash to the same value as a Postgres
+    md5 challenge response is statistically impossible but semantically
+    distinct anyway). Dedup must respect the kind boundary."""
+    base = {
+        "attacker_ip": "10.0.0.5",
+        "decky_name": "decky-01",
+        "service": "ssh",
+        "principal": "root",
+        "secret_sha256": _sha256("hunter2"),
+        "secret_b64": "aHVudGVyMg==",
+        "fields": {},
+    }
+    await repo.upsert_credential({**base, "secret_kind": "plaintext"})
+    await repo.upsert_credential({**base, "secret_kind": "postgres_md5_challenge"})
+    rows = await repo.get_credentials()
+    assert len(rows) == 2
+    kinds = {r["secret_kind"] for r in rows}
+    assert kinds == {"plaintext", "postgres_md5_challenge"}
+
+
 @pytest.mark.anyio
 async def test_filters(repo) -> None:
     base_secret = _sha256("a")

tests/services/test_cred_emitters.py

@@ -154,6 +154,74 @@ async def test_ldap_principal_is_dn():
     assert cred["principal"] == "cn=admin,dc=acme,dc=com"
 
 
+@pytest.mark.asyncio
+async def test_mqtt_native_shape():
+    """MQTT CONNECT — username + password decoded from the wire,
+    emitted as principal + secret_b64. Was silently dropped between
+    Phase 3 (legacy adapter removed) and the MQTT migration commit."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    await _extract_bounty(repo, _native_log(
+        "mqtt", principal="iotuser", password="iotpass",
+    ))
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "mqtt"
+    assert cred["principal"] == "iotuser"
+    assert cred["secret_sha256"] == hashlib.sha256(b"iotpass").hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_postgres_hash_credential():
+    """Postgres MD5 challenge-response — plaintext irrecoverable, lands
+    as secret_kind=postgres_md5_challenge with the raw hash bytes."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    pw_hash = "md5" + "ab" * 16  # 32 hex chars after the "md5" prefix
+    raw = bytes.fromhex("ab" * 16)
+    log_data = {
+        "decky": "decky-01",
+        "service": "postgres",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "username": "postgres",
+            "principal": "postgres",
+            "pw_hash": pw_hash,
+            "secret_kind": "postgres_md5_challenge",
+            "secret_printable": pw_hash,
+            "secret_b64": base64.b64encode(raw).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "postgres"
+    assert cred["secret_kind"] == "postgres_md5_challenge"
+    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_vnc_hash_credential():
+    """VNC DES-encrypted challenge response — same shape, different kind."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    raw = bytes(range(16))
+    log_data = {
+        "decky": "decky-01",
+        "service": "vnc",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "response": raw.hex(),
+            "secret_kind": "vnc_des_response",
+            "secret_printable": raw.hex(),
+            "secret_b64": base64.b64encode(raw).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "vnc"
+    assert cred["secret_kind"] == "vnc_des_response"
+    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
+
+
 @pytest.mark.asyncio
 async def test_lossless_b64_survives_nonprintable_password():
     """Even when secret_printable is sanitized, secret_b64 still decodes