feat(ttp): E.3.8 R0001-R0030 command cohort

30 YAMLs for the shell/command rule cohort per Appendix B (rules/ttp/).
Splits into engine-active (R0007-R0029, regex on command_text /
raw_url / user_agent) and lifter-bound (R0001-R0006, R0030 — the
v0 RuleEngine cannot count auth attempts, do identity rollups, or
parse fingerprint blobs; the BehavioralLifter / IdentityLifter /
CredentialLifter consume them by rule_id at E.3.9 / E.3.13).

test_command_rules.py asserts:
- every R000N has a YAML that compiles
- lifter-bound rules NEVER fire from the v0 engine (regression
  guard against a YAML drifting into a regex match.spec)
- engine-active rules meet their Appendix-C precision target
  against the seed corpus (≥0.95 high-conf, ≥0.80 medium)

Conftest fixes: precision_engine moved to module-scope so module-
scope precomputed dispatch fixture (fired_by_label) can request it;
_RULES_DIR path bumped from parents[2] to parents[3] so the loader
resolves the project root regardless of pytest cwd; make_event
synthesizes attacker_uuid so TTPTag's anchor invariant is satisfied.

Seed corpus broadened: positive examples for every regex rule plus
6 negative examples across innocuous shell verbs (ls, echo, cd, ps,
df, free) so FPs surface in precision rather than passing vacuously.

rules/ttp/R0026.yaml

@@ -0,0 +1,20 @@
+rule_id: R0026
+rule_version: 1
+name: redis_ssh_key_persistence
+description: |
+  redis-cli / nc abuse setting CONFIG dir to /root/.ssh +
+  writing an authorized_keys SET. Per-command match; the lifter
+  composes them across a session, but either single command in
+  isolation still scores the technique.
+applies_to:
+  - command
+match:
+  field: command_text
+  pattern: '(?i)\bredis(?:-cli)?\b.*\b(?:config\s+set\s+dir|set\s+\S+\s+["'']?ssh-(?:rsa|ed25519|dss))\b'
+emits:
+  - tactic: TA0003
+    technique_id: T1098
+    sub_technique_id: T1098.004
+    confidence: 0.9
+evidence_fields:
+  - command_text