feat(darkwatch): implement DarkWatch tRPC router and service layer

- Add darkwatch router with procedures: getWatchlist, addWatchlistItem,
  removeWatchlistItem, getExposures, getExposureDetails, runScan,
  getScanStatus, getReports
- Add darkwatch service with watchlist CRUD, exposure queries,
  scan orchestration, tier limit enforcement, report listing
- Add scan engine with HIBP, SecurityTrails, Censys, Shodan, and
  forum scraping modules (circuit breaker pattern, env-var API keys)
- Add alert pipeline with severity scoring, deduplication, and
  exposure-to-alert creation
- Add valibot schemas for input validation
- Register router in root.ts
- Write unit tests for router procedures, service functions,
  and severity scoring (21 tests passing)

web/src/server/api/schemas/darkwatch.ts

@@ -0,0 +1,28 @@
+import { object, string, minLength, optional, number, picklist } from "valibot";
+
+export const AddWatchlistItemSchema = object({
+  type: picklist(["email", "phoneNumber", "ssn", "address", "domain"]),
+  value: string([minLength(1)]),
+});
+
+export const RemoveWatchlistItemSchema = object({
+  itemId: string([minLength(1)]),
+});
+
+export const ExposureFilterSchema = object({
+  severity: optional(picklist(["info", "warning", "critical"])),
+  source: optional(picklist(["hibp", "securityTrails", "censys", "darkWebForum", "shodan", "honeypot"])),
+  page: optional(number(), 1),
+  limit: optional(number(), 20),
+});
+
+export const ExposureDetailsSchema = object({
+  exposureId: string([minLength(1)]),
+});
+
+export const RunScanSchema = object({});
+
+export const ReportFilterSchema = object({
+  page: optional(number(), 1),
+  limit: optional(number(), 20),
+});