feat(ttp): E.3.7 RuleEngine — evaluate + atomic-swap watch_store

Implements the rule engine body left empty at contract phase: evaluate()
dispatches by source_kind through self._by_kind, runs the rule's match
spec against event.payload, and emits one TTPTag per emits entry.
watch_store() loads the initial corpus from RuleStore.load_compiled,
then drains subscribe_changes, applying definition changes via
single-statement dict assignment (atomic swap, GIL-atomic to readers)
and state changes via NamedTuple._replace on the existing CompiledRule.

Why: with the FS + DB stores in place (E.3.5/E.3.6), the engine is the
last piece of the rule plane. Lifters (E.3.9–E.3.13) consume the
engine; the worker bootstrap (E.3.14) wires watch_store into the
asyncio event loop. After this commit a CompositeTagger constructed
with a RuleEngine + a populated rules dir will produce real tags.

Notes:
- CompiledRule.emits extended to 4-tuple
  (technique_id, sub_technique_id, tactic, confidence). Tactic + confidence
  ride per-emit so a single rule can carry multiple precision targets
  (the "one event maps to many techniques" property). Compile helpers in
  both backends extract them from the YAML emits dict; missing tactic
  or confidence is a deploy-time error.
- v0 match operator is "pattern" (regex). The field defaults per
  source_kind (command_text / raw_url / subject / verdict / …) and is
  overridable via match.field. Future ops (contains, equals, in_set)
  extend _match_event without touching the engine surface.
- Confidence model: rules with state="clipped" + confidence_max set
  cap the per-emit confidence downward; clipped is a soft suppress, not
  a hard skip. Disabled rules are skipped wholly; expires_at past is
  re-checked at evaluate as defense-in-depth (the store auto-reverts,
  but a racing read between expiry and revert must not fire the rule).
- _span(name, **attrs) helper in engine + both stores short-circuits on
  decnet.telemetry._ENABLED — matches the project's @traced /
  wrap_repository zero-overhead-when-disabled pattern instead of relying
  solely on the no-op tracer indirection.
- Late-bound tracer (telemetry.get_tracer called per-span, not at
  module load) so test_tracing's monkeypatch reaches the production
  code path.

xfails flipped: tests/ttp/test_rule_engine.py multi-emit fan-out +
rule_version-collision-via-engine; tests/ttp/test_multi_mapping.py
N×M engine fan-out + idempotent replay; tests/ttp/test_tracing.py
ttp.eval span hierarchy + ttp.rule.fire span attributes.

Tests: 214 passed, 19 xfailed (gated on E.3.8 lifters / rule pack /
worker bootstrap).
mypy: clean on prod code; pre-existing test-stub arg-type warnings
unchanged.

development/TTP_TAGGING.md

@@ -2954,7 +2954,16 @@ Order:
 7. **RuleEngine** — implement engine consuming from `RuleStore`.
    Atomic per-rule swap on `RuleChange`. State applied
    after-parsing via `RuleState` join. `test_rule_engine.py`
-   green.
+   green. ✅ done. `CompiledRule.emits` extended to a 4-tuple
+   `(technique_id, sub_technique_id, tactic, confidence)` per emit;
+   the engine fans one match into N `TTPTag` rows. Match operator is
+   `pattern` (regex) for v0; per-source-kind default field
+   (`command_text` / `raw_url` / `subject` / …) overridable via
+   `match.field`. Disabled rules skipped; clipped state caps
+   confidence; `expires_at` re-checked at evaluate as
+   defense-in-depth. Tracing helper `_span(name, **attrs)` short-
+   circuits on `decnet.telemetry._ENABLED`, matching `@traced` /
+   `wrap_repository` zero-overhead-when-disabled pattern.
 8. **Rule pack v0** — write the YAML files for `R0001`–`R0058`
    at `./rules/ttp/`. Each rule lands with its precision-target
    test per Appendix C in the same commit. The corpus for