chore(polkit): allow decnet group to manage decnet-*.service without password

Scoped rule — matches only `decnet-<name>.service` and `decnet.target`.
Any unit outside that regex falls through to the default polkit policy.
Required so the API (running as the `decnet` user) can invoke
`systemctl start decnet-<name>.service` non-interactively.

deploy/polkit/50-decnet-workers.rules

@@ -0,0 +1,19 @@
+// Allow members of the 'decnet' group to manage DECNET systemd units
+// (start / stop / restart / reload) without a password prompt.
+//
+// Scope is locked to units matching `decnet-<name>.service` or the
+// `decnet.target` grouping unit. Any other unit is unaffected by this
+// rule and still goes through the default polkit policy.
+//
+// Install: /etc/polkit-1/rules.d/50-decnet-workers.rules
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units") {
+        var unit = action.lookup("unit");
+        if (unit &&
+            /^decnet-[a-z]+\.service$|^decnet\.target$/.test(unit) &&
+            subject.isInGroup("decnet")) {
+            return polkit.Result.YES;
+        }
+    }
+});