Service-Bus: document attacker.intel.enriched + new wake-signal consumers

Service-Bus.md

@@ -148,7 +148,9 @@ Current topic families:
 | `topology.{id}.status`            | Mutator | `{state, reason}` |
 | `decky.{id}.state`                | _reserved_ | — |
 | `decky.{id}.traffic`              | _reserved_ | — |
-| `attacker.observed`               | _reserved_ | — |
+| `attacker.observed`               | Correlator | first sighting; consumed by `decnet enrich` as a wake signal |
+| `attacker.scored`                 | Profiler   | post-enrichment score update; also wakes `decnet enrich` |
+| `attacker.intel.enriched`         | `decnet enrich` | `{attacker_ip, aggregate_verdict, providers}` after a threat-intel pass; webhook → SIEM |
 | `system.log`                      | _reserved_ | — |
 | `system.bus.health`               | Bus worker heartbeat | `{ts, uptime_s}` |