feat(profiler): write ASN + AS name onto attacker rows

Adds asn (int), as_name (varchar 128), asn_source (varchar 16) to
the Attacker SQLModel — direct columns, no _migrate_* helper per
feedback_no_new_migrations_prev1.

Profiler worker now calls decnet.asn.enrich_ip alongside the existing
geoip enrich_ip; both feed the upsert payload. Failure is total — if
either lookup throws or the IP is private/unannounced, the field stays
None and the row still writes.

Both lookups are independent: a CGNAT address can have a country (RIR
allocation) but no ASN (no BGP origin), and vice-versa for unrouted
RIR-allocated space. Storing them separately preserves that signal.

decnet/web/db/models/attackers.py

@@ -63,6 +63,12 @@ class Attacker(SQLModel, table=True):
     # Nullable because private / loopback / IPv6 sources never resolve.
     country_code: Optional[str] = Field(default=None, max_length=2, index=True)
     country_source: Optional[str] = Field(default=None, max_length=16)
+    # ASN enrichment (populated by the profiler from decnet.asn.enrich_ip).
+    # Nullable for the same reasons as country_code, plus IPs not currently
+    # announced in the global BGP table (e.g. CGNAT, dark space).
+    asn: Optional[int] = Field(default=None, index=True)
+    as_name: Optional[str] = Field(default=None, max_length=128)
+    asn_source: Optional[str] = Field(default=None, max_length=16)
     # Reverse-DNS (PTR) name, one-shot resolved by the profiler at first
     # sighting. Nullable — many attackers run infra with no rDNS, and
     # private/loopback addresses never resolve.  256 chars matches