feat(geoip): country-code enrichment via RIR delegated-stats

Populates Attacker.country_code + country_source (MVP) using the five
RIR delegated-stats files (ARIN/RIPE/APNIC/LACNIC/AFRINIC). Offline,
license-free, no outbound traffic that could burn honeypot stealth.

- decnet.geoip package with factory/base/lookup + rir/ subpackage
  (fetch/parse/provider) mirroring the db + bus factory convention
- Profiler._build_record calls enrich_ip on every upsert
- Idempotent ALTER TABLE migrations for both SQLite and MySQL
- decnet geoip refresh/lookup CLI (master-only)
- /var/lib/decnet/geoip seeded by decnet init
- DECNET_GEOIP_ENABLED=false kill-switch; set in tests/conftest.py so
  unit tests never trigger the first-access fetch

decnet/web/db/models/attackers.py

@@ -39,6 +39,10 @@ class Attacker(SQLModel, table=True):
     commands: str = Field(
         default="[]", sa_column=Column("commands", _BIG_TEXT, nullable=False, default="[]")
     )  # JSON list[dict] — commands per service/decky
+    # GeoIP enrichment (populated by the profiler from decnet.geoip.enrich_ip).
+    # Nullable because private / loopback / IPv6 sources never resolve.
+    country_code: Optional[str] = Field(default=None, max_length=2, index=True)
+    country_source: Optional[str] = Field(default=None, max_length=16)
     updated_at: datetime = Field(
         default_factory=lambda: datetime.now(timezone.utc), index=True
     )