feat(correlation/attribution): wire bus handler, persist state (Phase 4)

attribution_worker.handle_observation_event now executes the full
end-to-end path:

* ensure stub identity (Phase 1)
* observations_for_identity_primitive() — new repo helper joining
  observations through attackers.identity_id, so v1's clusterer
  gets cross-attacker rollup for free
* aggregate_observations() with ValueKind dispatched off the BEHAVE
  PRIMITIVE_REGISTRY; unknown primitives default to categorical
* upsert_attribution_state() — last_change_ts locked when state is
  unchanged so the dashboard can render "stable since X"
* publish attribution.profile.state_changed only on transition;
  idempotent re-runs over the same observation set fire nothing
  (loop-prevention invariant matching ttp.tagged)

Tests:
* 5 end-to-end attribution scenarios over in-memory SQLite + FakeBus.
* test_base_repo's DummyRepo + coverage body now stub every abstract
  surface BaseRepository declares — the 6 added by this branch plus
  the 12 left un-stubbed by earlier work (BEHAVE Phase 1, TTP
  rollups, iter helpers). The coverage test could not previously
  even instantiate.
* test_aggregate_categorical's dispatcher rejection updated for the
  Phase 3 + 4 contract — ValueError on unknown kinds, not
  NotImplementedError.

decnet/web/db/repository.py

@@ -341,6 +341,20 @@ class BaseRepository(ABC):
         ordered by ``ts`` ASC. Empty list when none."""
         raise NotImplementedError
 
+    @abstractmethod
+    async def observations_for_identity_primitive(
+        self, identity_uuid: str, primitive: str,
+    ) -> list[dict[str, Any]]:
+        """Every observation of ``primitive`` across all attackers
+        rolling up to ``identity_uuid``, ordered by ``ts`` ASC.
+
+        Empty list when the identity has no observations of this
+        primitive. v0 with 1:1 stub identities returns the same set
+        as ``observations_time_series(attacker_uuid, primitive)``;
+        v1's clusterer makes the union meaningful.
+        """
+        raise NotImplementedError
+
     @abstractmethod
     async def has_observations_for_evidence(self, evidence_ref: str) -> bool:
         """True iff any observation row carries this ``evidence_ref``.

decnet/web/db/sqlmodel_repo/observations.py

@@ -25,7 +25,7 @@ from typing import Any, Optional
 from sqlalchemy import desc, func, select
 from sqlmodel import col
 
-from decnet.web.db.models import ObservationRow
+from decnet.web.db.models import Attacker, ObservationRow
 from decnet.web.db.sqlmodel_repo._helpers import _MixinBase
 
 
@@ -164,6 +164,34 @@ class ObservationsMixin(_MixinBase):
                 return None
             return row.model_dump(mode="json")
 
+    async def observations_for_identity_primitive(
+        self, identity_uuid: str, primitive: str,
+    ) -> list[dict[str, Any]]:
+        """Union of every observation of *primitive* across the
+        attackers rolling up to *identity_uuid*, ordered ``ts`` ASC.
+
+        v0 with 1:1 stub identities returns the same set as
+        ``observations_time_series(attacker_uuid, primitive)``.
+        v1's clusterer makes the union load-bearing — multiple
+        attackers point at the same identity_id and this query is
+        what gives the merger a cross-attacker view.
+        """
+        async with self._session() as session:
+            stmt = (
+                select(ObservationRow)
+                .join(Attacker, ObservationRow.attacker_uuid == Attacker.uuid)
+                .where(
+                    Attacker.identity_id == identity_uuid,
+                    ObservationRow.primitive == primitive,
+                )
+                .order_by(ObservationRow.ts)
+            )
+            rows = (await session.execute(stmt)).scalars().all()
+            return [
+                {"ts": row.ts, "value": row.value, "confidence": row.confidence}
+                for row in rows
+            ]
+
     async def has_observations_for_evidence(
         self, evidence_ref: str,
     ) -> bool: