feat(ttp): rich ThreatActor STIX extensions via CustomExtension + CustomObject

- stix_custom.py: DecnetActorFingerprintExt (@CustomExtension) wrapping
  network_behavior (os_guess/hop_distance/tcp_fingerprint/timing_stats/
  phase_sequence/behavior_class/beacon fields/tool_guesses) and
  protocol_fingerprints (ja3_hashes/hassh_hashes/kex_order_raw/
  ssh_client_banners/tls_cert_sha256/payload_simhashes/c2_endpoints).
  XDecnetBehaveProfile (@CustomObject x-decnet-behave-profile) carrying
  full BEHAVE-SHELL observation envelopes + kd_digraph_simhash.
  FINGERPRINT_EXT_DEF singleton extension-definition SDO.
- Drop legacy flat x_decnet_ja3_hashes / x_decnet_hassh_hashes /
  x_decnet_c2_endpoints (pre-v1, no consumers).
- stix_export: _threat_actor() wired to behavior + observations;
  build_attacker_bundle/build_fleet_bundle grow observations parameter.
- Repo: list_observations_by_attacker + get_all_observations_for_export
  abstract + sqlmodel impl; all four export endpoints extended.
- 18 new tests; inter-DECNET round-trip (stix2.parse → typed objects)
  is the primary fidelity assertion.

decnet/web/router/attackers/api_export_attackers_misp.py

@@ -43,13 +43,15 @@ async def api_export_attackers_misp(
     user: dict[str, Any] = Depends(require_viewer),
 ) -> Response:
     """Download a MISP collection JSON covering every observed attacker."""
-    rows, ttp_by_attacker = await asyncio.gather(
+    rows, ttp_by_attacker, obs_by_attacker = await asyncio.gather(
         repo.get_all_attackers_for_export(),
         repo.get_all_ttp_rollups_for_export(),
+        repo.get_all_observations_for_export(),
     )
     collection = build_fleet_misp_collection(
         rows=rows,
         ttp_by_attacker=ttp_by_attacker,
+        observations_by_attacker=obs_by_attacker,
     )
     ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
     return Response(