feat(asn): expose BGP prefix in AsnInfo and enrich_ip

Synthesize the covering CIDR at lookup time from the matched iptoasn
range using ipaddress.summarize_address_range. AsnInfo.prefix is
populated per-query; not persisted in the pickle cache.

enrich_ip now returns (asn, as_name, bgp_prefix, provider_name).
Profiler worker updated to unpack the 4-tuple and write bgp_prefix
into the attacker record dict.

decnet/asn/__init__.py

@@ -6,7 +6,7 @@ Public surface mirrors :mod:`decnet.geoip` so callers can compose them:
 
 * :func:`get_lookup` — returns the singleton :class:`AsnLookup`.
 * :func:`enrich_ip` — takes an IP string, returns
-  ``(asn_int, asn_name, provider_name)`` or ``(None, None, None)``.
+  ``(asn_int, asn_name, bgp_prefix, provider_name)`` or ``(None, None, None, None)``.
 
 Provider selection goes through :func:`~decnet.asn.factory.get_provider`
 (env ``DECNET_ASN_PROVIDER``, default ``iptoasn``). Direct imports of
@@ -51,8 +51,8 @@ def get_lookup(*, force_refresh: bool = False) -> AsnLookup:
     return _lookup
 
 
-def enrich_ip(ip: str) -> Tuple[Optional[int], Optional[str], Optional[str]]:
-    """Return ``(asn, as_name, provider_name)`` or ``(None, None, None)``.
+def enrich_ip(ip: str) -> Tuple[Optional[int], Optional[str], Optional[str], Optional[str]]:
+    """Return ``(asn, as_name, bgp_prefix, provider_name)`` or ``(None, None, None, None)``.
 
     Never raises — any lookup failure collapses to all-None so the
     caller (profiler) can upsert the attacker row regardless.
@@ -62,15 +62,15 @@ def enrich_ip(ip: str) -> Tuple[Optional[int], Optional[str], Optional[str]]:
     touching provider config.
     """
     if os.environ.get("DECNET_ASN_ENABLED", "true").lower() == "false":
-        return (None, None, None)
+        return (None, None, None, None)
     try:
         lookup = get_lookup()
         info = lookup.asn(ip)
         if info is None:
-            return (None, None, None)
-        return (info.asn, info.name or None, _provider_name or "unknown")
+            return (None, None, None, None)
+        return (info.asn, info.name or None, info.prefix, _provider_name or "unknown")
     except Exception:
-        return (None, None, None)
+        return (None, None, None, None)
 
 
 def _files_stale(provider) -> bool:

decnet/asn/lookup.py

@@ -23,11 +23,25 @@ class AsnInfo:
 
     asn: int
     name: str  # AS description / org name; "" if absent in the source data
+    prefix: Optional[str] = None  # synthesized covering CIDR; set at lookup time, not at rest
 
 
 Range = Tuple[int, int, AsnInfo]
 
 
+def _synthesize_prefix(start_int: int, end_int: int, queried_int: int) -> Optional[str]:
+    """Return the most-specific CIDR from [start, end] that contains queried_int."""
+    try:
+        for net in ipaddress.summarize_address_range(
+            ipaddress.IPv4Address(start_int), ipaddress.IPv4Address(end_int)
+        ):
+            if queried_int >= int(net.network_address) and queried_int <= int(net.broadcast_address):
+                return str(net)
+    except (ValueError, TypeError):
+        pass
+    return None
+
+
 @dataclass
 class AsnLookup:
     """Indexed AS lookup over IPv4 ranges."""
@@ -88,7 +102,9 @@ class AsnLookup:
         if idx < 0:
             return None
         if n <= self._ends[idx]:
-            return self._infos[idx]
+            info = self._infos[idx]
+            prefix = _synthesize_prefix(self._starts[idx], self._ends[idx], n)
+            return AsnInfo(asn=info.asn, name=info.name, prefix=prefix)
         return None
 
     def __len__(self) -> int:

decnet/profiler/worker.py

@@ -356,7 +356,7 @@ def _build_record(
     fingerprints = [b for b in bounties if b.get("bounty_type") == "fingerprint"]
     credential_count = sum(1 for b in bounties if b.get("bounty_type") == "credential")
     country_code, country_source = enrich_ip(ip)
-    asn, as_name, asn_source = enrich_ip_asn(ip)
+    asn, as_name, bgp_prefix, asn_source = enrich_ip_asn(ip)
 
     record: dict[str, Any] = {
         "ip": ip,
@@ -377,6 +377,7 @@ def _build_record(
         "country_source": country_source,
         "asn": asn,
         "as_name": as_name,
+        "bgp_prefix": bgp_prefix,
         "asn_source": asn_source,
         "updated_at": datetime.now(timezone.utc),
     }