feat(web): drop SessionProfile, wire observations into AttackerDetail (DEBT-050 / DEBT-036 closure)

Destructive half of BEHAVE-INTEGRATION.md Phase 1. SessionProfile +
its kd_* columns + the dialect ALTER TABLE migration helpers are
deleted outright; pre-v1, the table shipped empty, no migration
ceremony required (per the no-new-_migrate_-pre-v1 memory rule).
DEBT-036 closes via DEBT-050 supersedure. AttackerDetail's
``observations`` field is wired to the new ``observations`` table
and returns an empty list until the BEHAVE-SHELL extractor (DEBT-050
Phase 2) starts emitting.

decnet/web/db/models/attackers.py — SessionProfile class deleted
(~135 lines), KD_PAUSE_*/KD_START_OF_ACTION_IDLE_S module constants
deleted, module docstring updated to point at the observations
table. AttackerIdentity.kd_digraph_simhash is KEPT — it's the v2
federation centroid hook, not a SessionProfile field; docstring
repointed to the BEHAVE primitive that will populate it.

decnet/web/db/sqlmodel_repo/attackers/sessions.py — DELETED.
SessionProfilesMixin dropped from the AttackersMixin MRO.

decnet/web/db/repository.py — abstract upsert_session_profile +
get_session_profile removed.

decnet/web/db/sqlite/repository.py + mysql/repository.py —
_migrate_session_profile_table helpers and their initialize() calls
removed. mysql initialize() now goes attackers → column_types →
admin (no session_profile step).

decnet/web/db/models/__init__.py — SessionProfile re-export gone.

decnet/web/db/models/attacker_intel.py — docstring cross-reference
to SessionProfile.schema_version retargeted to AttackerIdentity.

decnet/web/router/attackers/api_get_attacker_detail.py — adds
``observations: []`` to the response by calling
``repo.latest_observation_per_primitive(uuid)`` and projecting to a
list sorted by primitive path. Empty until the extractor lands;
shape matches BEHAVE-INTEGRATION.md §"AttackerDetail consumer".

tests/profiler/test_session_profile.py — DELETED (56 lines).
tests/db/test_base_repo.py — DummyRepo loses upsert_session_profile
and get_session_profile overrides.
tests/db/mysql/test_mysql_migration.py — initialize-call-order
assertion updated; session_profile step removed from the expected
sequence; docstring records why.
tests/ttp/test_lifter_absence.py — docstring "no SessionProfile" →
"no ObservationRow".

tests/db/mysql/test_mysql_migration.py

@@ -191,9 +191,13 @@ async def test_migrate_column_types_default_clause_per_column():
 
 @pytest.mark.asyncio
 async def test_mysql_initialize_calls_migrate_column_types():
-    """MySQLRepository.initialize() must invoke every migration helper in
-    the right order: attackers first, then session_profile (DEBT-036),
-    then column types, then seed the admin user."""
+    """MySQLRepository.initialize() must invoke every migration helper
+    in the right order: attackers first, then column types, then seed
+    the admin user.
+
+    The legacy ``_migrate_session_profile_table`` step (DEBT-036) was
+    dropped when SessionProfile was deleted in favour of the
+    ``observations`` table — see DEBT-050 / BEHAVE-INTEGRATION.md."""
     repo = _make_repo()
 
     call_order: list[str] = []
@@ -201,9 +205,6 @@ async def test_mysql_initialize_calls_migrate_column_types():
     async def fake_migrate_attackers():
         call_order.append("migrate_attackers")
 
-    async def fake_migrate_session_profile():
-        call_order.append("migrate_session_profile")
-
     async def fake_migrate_column_types():
         call_order.append("migrate_column_types")
 
@@ -211,7 +212,6 @@ async def test_mysql_initialize_calls_migrate_column_types():
         call_order.append("ensure_admin")
 
     repo._migrate_attackers_table       = fake_migrate_attackers
-    repo._migrate_session_profile_table = fake_migrate_session_profile
     repo._migrate_column_types          = fake_migrate_column_types
     repo._ensure_admin_user             = fake_ensure_admin
 
@@ -228,7 +228,6 @@ async def test_mysql_initialize_calls_migrate_column_types():
 
     assert call_order == [
         "migrate_attackers",
-        "migrate_session_profile",
         "migrate_column_types",
         "ensure_admin",
     ], f"Unexpected call order: {call_order}"

tests/db/test_base_repo.py

@@ -38,8 +38,6 @@ class DummyRepo(BaseRepository):
     async def upsert_attacker_behavior(self, u, d): await super().upsert_attacker_behavior(u, d)
     async def get_attacker_behavior(self, u): await super().get_attacker_behavior(u)
     async def get_behaviors_for_ips(self, ips): await super().get_behaviors_for_ips(ips)
-    async def upsert_session_profile(self, sid, data): await super().upsert_session_profile(sid, data)
-    async def get_session_profile(self, sid): await super().get_session_profile(sid)
     # BEHAVE-SHELL observations (DEBT-050 / BEHAVE-INTEGRATION.md Phase 1)
     async def upsert_observation(self, data): await super().upsert_observation(data); return ""
     async def latest_observation_per_primitive(self, attacker_uuid): await super().latest_observation_per_primitive(attacker_uuid); return {}
@@ -129,8 +127,6 @@ async def test_base_repo_coverage():
     await dr.upsert_attacker_behavior("a", {})
     await dr.get_attacker_behavior("a")
     await dr.get_behaviors_for_ips({"1.1.1.1"})
-    await dr.upsert_session_profile("sid", {})
-    await dr.get_session_profile("sid")
     await dr.upsert_observation({})
     await dr.latest_observation_per_primitive("a")
     await dr.observations_time_series("a", "motor.input_modality")

tests/profiler/test_session_profile.py

@@ -1,55 +0,0 @@
-"""
-Tests for the session_profile table + repo helpers (SIGNAL_CAPTURE_AUDIT gap #2).
-
-Pre-v1 the ingestion job that populates keystroke-dynamics features is
-deferred; this suite exercises the empty-write path (one row per session,
-all feature columns NULL) and round-trips a filled row so future work can
-land without re-discovering the schema.
-"""
-import pytest
-from decnet.web.db.factory import get_repository
-
-
-@pytest.fixture
-async def repo(tmp_path):
-    r = get_repository(db_path=str(tmp_path / "session_profile.db"))
-    await r.initialize()
-    return r
-
-
-@pytest.mark.anyio
-async def test_empty_write_path_ships_null_features(repo):
-    # Session close writes `{}` — schema_version defaults to 1, all feature
-    # columns stay NULL.
-    await repo.upsert_session_profile("sid-1", {})
-    row = await repo.get_session_profile("sid-1")
-    assert row is not None
-    assert row["sid"] == "sid-1"
-    assert row["schema_version"] == 1
-    assert row["kd_iki_mean"] is None
-    assert row["kd_digraph_simhash"] is None
-    assert row["total_keystrokes"] is None
-
-
-@pytest.mark.anyio
-async def test_upsert_replaces_existing(repo):
-    await repo.upsert_session_profile("sid-2", {})
-    await repo.upsert_session_profile(
-        "sid-2",
-        {
-            "kd_iki_mean": 0.120,
-            "kd_iki_p95": 0.450,
-            "total_keystrokes": 512,
-            "session_duration_s": 61.3,
-        },
-    )
-    row = await repo.get_session_profile("sid-2")
-    assert row["kd_iki_mean"] == pytest.approx(0.120)
-    assert row["kd_iki_p95"] == pytest.approx(0.450)
-    assert row["total_keystrokes"] == 512
-    assert row["session_duration_s"] == pytest.approx(61.3)
-
-
-@pytest.mark.anyio
-async def test_get_missing_returns_none(repo):
-    assert await repo.get_session_profile("does-not-exist") is None

tests/ttp/test_lifter_absence.py

@@ -2,7 +2,7 @@
 
 Every per-source lifter is allowed (and expected) to encounter
 events whose required join is missing — no ``AttackerIntel`` row,
-no ``SessionProfile``, no ``AttackerBehavior``, no canary record,
+no ``ObservationRow``, no ``AttackerBehavior``, no canary record,
 no identity row, no ``CredentialReuse`` entry. Absence is the
 steady state, not the exception. The contract pinned here: