feat(canary): package scaffolding (base/factory/paths/storage) + tests

Mirrors the decnet.intel layout (base + factory + lazy concrete
imports). Defines:

- CanaryArtifact / CanaryContext dataclasses + the generator and
  instrumenter ABCs they share
- factory dispatch for generators (git_config/env_file/ssh_key/
  aws_creds/honeydoc) and instrumenters (docx/xlsx/pdf/html/image/
  plain/passthrough), plus pick_instrumenter_for_mime() for MIME-driven
  dispatch on operator uploads
- persona-aware default placement paths (Linux vs. Windows-shaped)
  and absolute-path validation that the API will use to validate
  operator-supplied placement_path values
- on-disk blob store: sha256-keyed two-level fan-out, idempotent
  writes, refcount-aware unlink (the DB row is the source of truth)

Also covers prior commits' tests (bus topics, models, repo CRUD)
under tests/canary/. 79 tests, all pass.

tests/canary/test_models.py

@@ -0,0 +1,85 @@
+"""Smoke coverage for the Pydantic request/response shapes + helpers.
+
+The tables themselves are exercised end-to-end in
+:mod:`tests.canary.test_repository`; this module only covers the
+helpers and request validation that don't go through the DB —
+``CanaryTrigger.headers()`` JSON decoding, the
+``CanaryTokenCreateRequest`` body shape, and the dump-roundtrip on
+the response models.
+"""
+from __future__ import annotations
+
+import pytest
+
+from decnet.web.db.models import (
+    CanaryBlobResponse,
+    CanaryTokenCreateRequest,
+    CanaryTokenResponse,
+    CanaryTrigger,
+    CanaryTriggerResponse,
+)
+
+
+def test_create_request_minimal() -> None:
+    r = CanaryTokenCreateRequest(
+        decky_name="web1",
+        kind="http",
+        placement_path="/home/admin/.env",
+        generator="env_file",
+    )
+    assert r.blob_uuid is None
+    assert r.persona_path_hint is None
+
+
+def test_create_request_kind_is_constrained() -> None:
+    with pytest.raises(ValueError):
+        CanaryTokenCreateRequest(
+            decky_name="web1", kind="bogus",  # type: ignore[arg-type]
+            placement_path="/x", generator="aws_creds",
+        )
+
+
+def test_trigger_headers_decode_valid_json() -> None:
+    t = CanaryTrigger(
+        token_uuid="t",
+        src_ip="1.2.3.4",
+        raw_headers='{"user-agent":"curl"}',
+    )
+    assert t.headers() == {"user-agent": "curl"}
+
+
+@pytest.mark.parametrize("raw", ["", "not json", "[1,2,3]", "null"])
+def test_trigger_headers_falls_back_to_empty(raw: str) -> None:
+    t = CanaryTrigger(token_uuid="t", src_ip="1.2.3.4", raw_headers=raw)
+    assert t.headers() == {}
+
+
+def test_response_models_round_trip() -> None:
+    # Canonical shapes — proves the field set + types match what the
+    # router will hand back. Strings everywhere because the DB layer
+    # uses str UUIDs (project convention).
+    blob = CanaryBlobResponse(
+        uuid="b1", sha256="0" * 64, filename="x.docx",
+        content_type="application/octet-stream", size_bytes=1,
+        uploaded_by="u1", uploaded_at="2026-04-27T00:00:00Z",  # type: ignore[arg-type]
+        token_count=2,
+    )
+    assert blob.token_count == 2
+
+    tok = CanaryTokenResponse(
+        uuid="t1", kind="http", decky_name="web1",
+        blob_uuid=None, instrumenter=None, generator="aws_creds",
+        placement_path="/a", callback_token="s",
+        placed_at="2026-04-27T00:00:00Z",  # type: ignore[arg-type]
+        last_triggered_at=None, trigger_count=0,
+        created_by="u1", state="planted", last_error=None,
+    )
+    assert tok.kind == "http"
+
+    trig = CanaryTriggerResponse(
+        uuid="x", token_uuid="t1",
+        occurred_at="2026-04-27T00:00:00Z",  # type: ignore[arg-type]
+        src_ip="1.2.3.4", user_agent=None, request_path=None,
+        dns_qname=None, headers={}, attacker_id=None,
+    )
+    assert trig.src_ip == "1.2.3.4"