feat(canary): ship Node helper with wheel + install-toolchain CLI

The fingerprint canaries' obfuscator shells out to a Node helper that
require()s javascript-obfuscator. Without this commit, a fresh
pip install decnet would land the .py modules but not the .js helper /
package.json, and there'd be no documented way to provision Node side.

* pyproject.toml - extend tool.setuptools.package-data to ship
  canary/_obfuscate_helper.js, canary/fingerprint_payload.js, and
  canary/package.json with the wheel.
* decnet/cli/canary.py - new "decnet canary-install-toolchain"
  subcommand. Resolves decnet.canary.__file__'s dir, runs
  npm install --omit=dev there, exits non-zero with a clear message
  if npm is missing or install fails. Idempotent - safe to call
  every API service start.
* deploy/decnet-api.service.j2 - non-fatal ExecStartPre that calls
  the new subcommand. Leading '-' so a missing Node toolchain only
  degrades fingerprint canaries (loud at mint time) without keeping
  the API from booting.
* tests/canary/test_cli.py - registration smoke test, missing-npm
  exit path, and a mocked-subprocess test asserting the right argv
  and cwd land on npm.

Realism cultivator already has a broad except Exception around
cultivate() in scheduler.py:195-211, so a missing toolchain on a
host running the realism tick degrades to an inert noise file with
no extra plumbing.

pyproject.toml

@@ -125,7 +125,14 @@ include = ["decnet*"]
 [tool.setuptools.package-data]
 # Ship docker build contexts + syslog_bridge.py as package data so they land
 # in site-packages when agents install the bundle via `pip install`.
-decnet = ["templates/**/*"]
+# canary/*.js + canary/package.json ship the Node-side toolchain manifest
+# so `decnet canary-install-toolchain` can `npm install` post-install.
+decnet = [
+    "templates/**/*",
+    "canary/_obfuscate_helper.js",
+    "canary/fingerprint_payload.js",
+    "canary/package.json",
+]
 
 [tool.bandit]
 # Docker build contexts — code runs inside decoy containers, not in the