fix(ttp): correct stale clip tests to ceiling semantics + document ATTACKER_FINGERPRINTED topic

confidence_max is a ceiling (min(base, ceiling)), not a multiplier — the
ASVS pass fixed this (BUG-8: min(base, base*ceiling) -> min(base, ceiling)),
but 4 lifter clip tests still encoded the old base*ceiling math (0.45/0.4/
0.35) and were masked by the make test-web bundle error fail-fast. All four
now assert the 0.5 ceiling. Separately, test_topics_matches_documented_set
lacked attacker.fingerprinted, which worker.py legitimately subscribes to
(JARM/HASSH/tcpfp/ipv6_leak -> TTP tagging). Located via turbovec + git pickaxe.

(cherry picked from commit f83b467c35649a06fa36f4b350e6666379cd71cb)

tests/ttp/test_behavioral_lifter.py

@@ -220,11 +220,12 @@ def test_clipped_state_caps_confidence() -> None:
     out = asyncio.run(lifter.tag(
         _ev("session", {"beacon_interval_s": 60, "beacon_jitter_pct": 0.05}),
     ))
-    # Base confidences in YAML are 0.8 and 0.85; clipped to 0.5 ceiling
-    # → 0.4 and 0.425 respectively.
+    # Base confidences in YAML are 0.8 and 0.85; a clipped state caps each
+    # at the 0.5 ceiling — min(base, 0.5) = 0.5. confidence_max is a ceiling,
+    # not a multiplier (BUG-8 in the ASVS hardening pass).
     assert out
     for tag in out:
-        assert tag.confidence < 0.5
+        assert tag.confidence == pytest.approx(0.5)
 
 
 def test_expired_state_treated_as_disabled() -> None: