feat(ttp): STIX 2.1 bundle export for individual attackers

GET /api/v1/attackers/{uuid}/export/stix returns a self-contained STIX
2.1 bundle: ip observation, threat-actor, ATT&CK attack-patterns with
canonical MITRE IDs, uses relationships, per-tag sightings, file SCOs
for artifacts, domain-name SCOs for SMTP targets, and a provider intel
note. Attack-pattern SDOs carry the MITRE bundle IDs so consumers
deduplicating against the public ATT&CK bundle get exact matches.

decnet/web/db/repository.py

@@ -1485,6 +1485,13 @@ class BaseRepository(ABC):
         """Fleet-wide distinct-technique rollup."""
         raise NotImplementedError
 
+    @abstractmethod
+    async def list_ttp_tags_by_attacker(
+        self, uuid: str, limit: int = 2000,
+    ) -> list[dict[str, Any]]:
+        """Raw ``ttp_tag`` rows for one attacker (for STIX export + similar)."""
+        raise NotImplementedError
+
     async def list_ttp_decky_phases(
         self, identity_uuid: str,
     ) -> list[dict[str, Any]]: