feat(geoip): country-code enrichment via RIR delegated-stats

Populates Attacker.country_code + country_source (MVP) using the five
RIR delegated-stats files (ARIN/RIPE/APNIC/LACNIC/AFRINIC). Offline,
license-free, no outbound traffic that could burn honeypot stealth.

- decnet.geoip package with factory/base/lookup + rir/ subpackage
  (fetch/parse/provider) mirroring the db + bus factory convention
- Profiler._build_record calls enrich_ip on every upsert
- Idempotent ALTER TABLE migrations for both SQLite and MySQL
- decnet geoip refresh/lookup CLI (master-only)
- /var/lib/decnet/geoip seeded by decnet init
- DECNET_GEOIP_ENABLED=false kill-switch; set in tests/conftest.py so
  unit tests never trigger the first-access fetch

decnet/geoip/paths.py

@@ -0,0 +1,19 @@
+"""Filesystem layout for GeoIP data.
+
+``GEOIP_ROOT`` is where providers drop their raw files and cache indexes.
+Default ``/var/lib/decnet/geoip`` — ``decnet init`` seeds the directory
+with ``decnet:decnet`` ownership, mode 0755. Override with
+``DECNET_GEOIP_ROOT`` for test harnesses.
+"""
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+GEOIP_ROOT = Path(os.environ.get("DECNET_GEOIP_ROOT", "/var/lib/decnet/geoip"))
+
+
+def ensure_root() -> Path:
+    """Create ``GEOIP_ROOT`` if absent and return it. No-op if present."""
+    GEOIP_ROOT.mkdir(parents=True, exist_ok=True)
+    return GEOIP_ROOT