feat(profiler): persist raw SSH KEX algorithm ordering

Prober already emits kex_algorithms in hassh_fingerprint syslog events, but
the raw ordered list was only queryable via the generic bounty store. Add a
dedicated AttackerBehavior.kex_order_raw column (TEXT, JSON list) so
post-v1 KEX-order fingerprinting has a typed, indexable home.

Pipeline:
  - sniffer_rollup() now consumes hassh_fingerprint events and collects
    distinct kex_algorithms strings across ports.
  - build_behavior_record() JSON-encodes the list (NULL when empty).
  - sqlmodel_repo._deserialize_behavior() parses it back into a list.

Closes pre-v1 gap #1 from SIGNAL_CAPTURE_AUDIT.md.

decnet/web/db/models.py

@@ -175,6 +175,13 @@ class AttackerBehavior(SQLModel, table=True):
         default="{}",
         sa_column=Column("tcp_fingerprint", Text, nullable=False, default="{}"),
     )  # JSON: window, wscale, mss, options_sig
+    # Raw SSH KEX algorithm preference strings observed across HASSH probes
+    # (one entry per hassh_fingerprint event). Keeping the raw ordered list
+    # enables post-hoc KEX-order fingerprinting beyond the HASSH hash.
+    kex_order_raw: Optional[str] = Field(
+        default=None,
+        sa_column=Column("kex_order_raw", Text, nullable=True),
+    )  # JSON list[str] — kex_algorithms comma-separated strings
     retransmit_count: int = Field(default=0)
     # Behavioral (derived by the profiler from log-event timing)
     behavior_class: Optional[str] = None          # beaconing | interactive | scanning | brute_force | slow_scan | mixed | unknown