merge: testing → main (reconcile 2-week divergence)

deploy/decnet-reuse-correlator.service.j2

@@ -0,0 +1,41 @@
+[Unit]
+Description=DECNET Credential-Reuse Correlator (cross-target secret-reuse detection)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#reuse-correlator
+After=network-online.target decnet-bus.service
+Wants=network-online.target decnet-bus.service
+
+[Service]
+Type=simple
+User={{ user }}
+Group={{ group }}
+WorkingDirectory={{ install_dir }}
+EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.reuse-correlator.log
+# Subscribes to credential.captured and attacker.observed; falls back to
+# a 60s slow-tick poll when the bus is idle or unavailable. Publishes
+# credential.reuse.detected once per new/grown finding.
+ExecStart={{ venv_dir }}/bin/decnet reuse-correlate
+StandardOutput=append:/var/log/decnet/decnet.reuse-correlator.log
+StandardError=append:/var/log/decnet/decnet.reuse-correlator.log
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths={{ install_dir }} /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target