feat(daemon): wire Slice B into cmd/openwatch serve (eventbus + alertrouter + liveness loop)

[remyluslosius]

Why

The Slice B packages have been libraries with no runtime wiring since they were merged. `openwatch serve` boots HTTP and the existing in-process diagnostics worker — nothing else. This PR turns three of those libraries into actual runtime subsystems:

• `internal/eventbus` — in-process pub/sub
• `internal/alertrouter` — alert dispatcher with a new stdout channel
• `internal/liveness` — probe loop, now publishing `HeartbeatPulse` to the bus

After this PR, `openwatch serve` runs the alert router and the liveness probe loop. Booting against a fleet with hosts produces a tickable liveness sweep; transitions fire to the bus; the alert router fans them out to the stdout channel (visible via `journalctl`).

Spec changes

NEW: `system-daemon-orchestration` v1.0.0 (7 ACs)

The trimmed version of the spec pulled out of #429. Scope: what's actually wired and tested in this PR.

Amended: `system-liveness-loop` v1.0.0 → v1.1.0 (+8 ACs)

• `C-10` / AC-16/17 — `Service.Run(ctx)` blocking loop walks active hosts
• `C-11` / AC-18 — skips hosts whose `host_backoff_state.suppress_until` is in the future
• AC-19 — returns within 2s of ctx cancel
• `C-12` / AC-20/21/22 — publishes `HeartbeatPulse` on state transition; no publish on steady state
• `C-13` / AC-23 — `NewService(pool, emit, bus)`; nil bus is valid

Amended: `system-drift-detector` v1.0.0 → v1.1.0 (+4 ACs)

• `C-09` / AC-15/16/17 — publishes `DriftDetected` on non-stable detection; per-severity counts match the audit detail
• `C-10` / AC-18 — `NewService(pool, emit, thresholds, bus)`; nil bus is valid

Code

Path	Change
`internal/alertrouter/channels/stdout/`	NEW — slog-based channel; zero external deps
`internal/liveness/service.go`	`NewService` gains `*Bus`; new `Service.Run` blocking loop; `publishHeartbeat` on transition; `listProbeTargets` SQL respects backoff
`internal/drift/service.go`	`NewService` gains `*Bus`; `publishDrift` on non-stable kind
`cmd/openwatch/main.go`	`cmdServe` now boots bus → router → register stdout (wildcard) → router.Start → liveness.NewService → `go liveSvc.Run` → server.Run. Reverse-order shutdown via deferred bus.Shutdown + audit.Shutdown + post-server router.Stop
`cmd/openwatch/source_test.go`	NEW source-inspection tests for the daemon-orchestration ACs

Verification

```
go vet ./... clean
go test -race -count=1 ./... PASS (full tree, ~4 min with Postgres)
specter parse PASS (40 specs)
specter check PASS
specter sync PASS (all 40 specs at threshold)
```

Per-spec coverage:

• `system-daemon-orchestration` 7/7 (NEW)
• `system-liveness-loop` 23/23 (was 15/15 — +8 v1.1.0 ACs)
• `system-drift-detector` 18/18 (was 14/14 — +4 v1.1.0 ACs)

Not in this PR

Each becomes its own follow-up that takes a future spec as its contract:

• `openwatch worker` subcommand (needs `system-worker-subcommand` spec)
• Scheduler dispatcher tick inside serve (needs DEK accessor + `policy.Schedules` loader)
• Drift detector loop (worker calls DetectForScan inline post-scan)
• Live Kensa binding (`system-kensa-executor` v2 AC-18)
• Slack / email / webhook channel implementations

Test plan

• CI: `Quality + security gates` pass (vet, lint, vuln, test-race, specter sync)
• Spot-check: `openwatch serve` against a populated DB; observe `journalctl -u openwatch -g alertrouter.alert.sent` (will be empty until an alert fires, which requires either a liveness transition with a seeded host or the worker firing scans — neither flows in this PR; the channel itself is verified by unit test)