feat(api/artifacts): explicit Content-Disposition + X-Content-Type-Options

Harden the attacker-controlled artifact download path (F7) with explicit
response headers instead of relying on Starlette's defaults (which only
emit attachment for non-ASCII filenames and never set nosniff). Also
resolves the THREAT_MODEL F7 path-traversal row (containment check was
already in _resolve_artifact_path) and the fleet-deploy detail=str(e)
audit (all four sites are admin-gated deliberate validator UX or
structured worker-response fields).

decnet/web/router/artifacts/api_get_artifact.py

@@ -88,4 +88,8 @@ async def get_artifact(
         path=str(path),
         media_type="application/octet-stream",
         filename=stored_as,
+        headers={
+            "Content-Disposition": f'attachment; filename="{stored_as}"',
+            "X-Content-Type-Options": "nosniff",
+        },
     )