feat(api): canary token CRUD router (/api/v1/canary) + tests

Two sub-routers under /api/v1/canary:

blobs (operator-uploaded artifacts, deduped by sha256):
- POST   /blobs          (multipart upload; admin)
- GET    /blobs          (list with token_count; admin)
- DELETE /blobs/{uuid}   (refcount-aware; 409 when referenced; admin)

tokens (per-decky planted artifacts):
- POST   /tokens                          (generate or instrument + plant; admin)
- GET    /tokens?decky_name=&kind=&state= (filter; viewer)
- GET    /tokens/{uuid}                   (detail; viewer)
- GET    /tokens/{uuid}/preview           (instrumented bytes; admin)
- GET    /tokens/{uuid}/triggers          (paged callback log; viewer)
- DELETE /tokens/{uuid}                   (revoke + bus event; admin)

XOR validation: exactly one of blob_uuid / generator must be set.
Path validation rejects relative/NUL/newlines/.. segments. Every
body-bearing route documents 400 plus 401/403/404 as applicable.

Stdlib MIME sniffer (no python-magic dep) covers PNG/JPEG/GIF/PDF/
HTML/XML/DOCX/XLSX/JSON/YAML/TOML/text/plain; everything else falls
through to passthrough.

Tests run end-to-end through the live FastAPI app (planter docker
exec is patched); 17 cases covering dedup, refcount, lifecycle,
XOR validation, path validation, and 404 paths.

decnet/web/router/canary/api_blobs.py

@@ -0,0 +1,172 @@
+"""Operator-uploaded canary blob CRUD.
+
+Three endpoints:
+
+* ``POST /blobs`` — multipart upload; sniffs MIME from the magic
+  bytes (no python-magic dependency), persists to disk under the
+  sha256 hash, returns the (possibly pre-existing) row.
+* ``GET /blobs`` — list all blobs with their live token reference
+  count.
+* ``DELETE /blobs/{uuid}`` — refcount-aware delete; returns 409 if
+  any token still references the blob.
+
+Admin-gated: blobs are operator-supplied content that may carry
+sensitive material (real-looking financial reports, etc.); listing
+them and deleting them is an admin operation.  Reading them via the
+preview path is also admin-gated.
+"""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from typing import Any
+
+from fastapi import APIRouter, Depends, File, HTTPException, UploadFile
+
+from decnet.canary import storage
+from decnet.logging import get_logger
+from decnet.web.db.models import (
+    CanaryBlobResponse,
+    CanaryBlobsResponse,
+    MessageResponse,
+)
+from decnet.web.dependencies import repo, require_admin
+
+log = get_logger("api.canary.blobs")
+
+router = APIRouter(prefix="/blobs", tags=["Canary"])
+
+
+# --- MIME sniffing (stdlib-only, replaces python-magic) -------------------
+#
+# The DOCX/XLSX/PDF/PNG/JPEG/GIF/HTML/JSON/YAML space covers everything
+# our instrumenters know how to mutate.  Anything else falls through to
+# ``application/octet-stream`` and the API routes the token to the
+# ``passthrough`` instrumenter.
+
+_MAGIC_TABLE: tuple[tuple[bytes, str], ...] = (
+    (b"\x89PNG\r\n\x1a\n", "image/png"),
+    (b"\xff\xd8\xff", "image/jpeg"),
+    (b"GIF87a", "image/gif"),
+    (b"GIF89a", "image/gif"),
+    (b"%PDF-", "application/pdf"),
+    # OOXML (DOCX/XLSX) starts with PK\x03\x04 but so do plain zips.
+    # We disambiguate by Content_Types entry below.
+    (b"<!DOCTYPE", "text/html"),
+    (b"<html", "text/html"),
+    (b"<HTML", "text/html"),
+    (b"<?xml", "application/xml"),
+)
+
+
+def _sniff_mime(filename: str, head: bytes) -> str:
+    for marker, mime in _MAGIC_TABLE:
+        if head.startswith(marker):
+            return mime
+    if head[:4] == b"PK\x03\x04":
+        # OOXML alias detection: peek for the document-specific Override
+        # in [Content_Types].xml. We only need to look at the first
+        # block; the central directory comes later.
+        if b"wordprocessingml" in head:
+            return "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
+        if b"spreadsheetml" in head:
+            return "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
+        return "application/zip"
+    # Plaintext heuristic: if the head decodes as printable utf-8 we
+    # call it text/plain — that's good enough to route to the plain
+    # instrumenter, which also handles json/yaml/toml.
+    try:
+        head.decode("utf-8")
+        if all(b in (0x09, 0x0A, 0x0D) or b >= 0x20 for b in head[:128]):
+            lf = filename.lower()
+            if lf.endswith((".json",)):
+                return "application/json"
+            if lf.endswith((".yaml", ".yml")):
+                return "application/yaml"
+            if lf.endswith((".toml",)):
+                return "application/toml"
+            return "text/plain"
+    except UnicodeDecodeError:
+        pass
+    return "application/octet-stream"
+
+
+def _row_to_response(row: dict[str, Any]) -> CanaryBlobResponse:
+    return CanaryBlobResponse(**row)
+
+
+@router.post(
+    "",
+    response_model=CanaryBlobResponse,
+    status_code=201,
+    responses={
+        400: {"description": "Empty file or unreadable upload"},
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+    },
+)
+async def api_upload_blob(
+    file: UploadFile = File(...),
+    admin: dict = Depends(require_admin),
+) -> CanaryBlobResponse:
+    content = await file.read()
+    if not content:
+        raise HTTPException(status_code=400, detail="uploaded file is empty")
+    sniffed = _sniff_mime(file.filename or "", content[:1024])
+    sha, _path, size = storage.write_blob(content)
+    row = await repo.upsert_canary_blob({
+        "sha256": sha,
+        "filename": file.filename or "(unnamed)",
+        "content_type": sniffed,
+        "size_bytes": size,
+        "uploaded_by": admin.get("uuid", "unknown"),
+        "uploaded_at": datetime.now(timezone.utc),
+    })
+    row.setdefault("token_count", 0)
+    return _row_to_response(row)
+
+
+@router.get(
+    "",
+    response_model=CanaryBlobsResponse,
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+    },
+)
+async def api_list_blobs(
+    admin: dict = Depends(require_admin),
+) -> CanaryBlobsResponse:
+    rows = await repo.list_canary_blobs()
+    return CanaryBlobsResponse(
+        blobs=[_row_to_response(r) for r in rows],
+        total=len(rows),
+    )
+
+
+@router.delete(
+    "/{uuid}",
+    response_model=MessageResponse,
+    responses={
+        404: {"description": "Blob not found"},
+        409: {"description": "Blob still referenced by a token"},
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+    },
+)
+async def api_delete_blob(
+    uuid: str,
+    admin: dict = Depends(require_admin),
+) -> MessageResponse:
+    existing = await repo.get_canary_blob(uuid)
+    if existing is None:
+        raise HTTPException(status_code=404, detail="blob not found")
+    deleted = await repo.delete_canary_blob(uuid)
+    if not deleted:
+        raise HTTPException(
+            status_code=409,
+            detail="blob is still referenced by one or more tokens",
+        )
+    # DB row is gone; best-effort unlink the bytes on disk.  A failure
+    # here leaves a recoverable orphan, never a dangling DB ref.
+    storage.unlink_blob(existing["sha256"])
+    return MessageResponse(message="ok")