feat(api/sse): per-user connection cap + viewer-safe invariant

New decnet/web/sse_limits.py provides sse_connection_slot, an async
context manager that counts live SSE connections per user UUID and
raises 429 when a per-user cap is exceeded (default 5, override via
DECNET_SSE_MAX_PER_USER). Wired into both SSE generators as their
first async with, so the cap check fires before any stream data is
yielded.

The cap must sit inside the generator — StreamingResponse returns
before the generator body runs, so a handler-level wrapper would
release the slot immediately. Put prefetch + slot + loop all under
the one async with.

Also documents F6/I (role leakage) as mitigated-by-construction via
handler docstrings: every event type on both streams wraps data
already reachable via viewer-gated REST, so no per-event filter is
needed until a new event family is introduced. The invariant is
written into the handler docstrings so a future PR can't silently
add admin-only events.

Resolves THREAT_MODEL F6/I and F6/D.

tests/api/conftest.py

@@ -45,6 +45,16 @@ def _reset_login_rate_limiter() -> None:
     yield
     _login_limiter.reset()
 
+
+@pytest.fixture(autouse=True)
+def _reset_sse_limits() -> None:
+    """SSE connection counters are module-level dicts; reset between
+    tests so leftover slots don't leak across cases."""
+    from decnet.web import sse_limits
+    sse_limits._reset_for_tests()
+    yield
+    sse_limits._reset_for_tests()
+
 VIEWER_USERNAME = "testviewer"
 VIEWER_PASSWORD = "viewer-pass-123"
 

tests/api/test_sse_limits.py

@@ -0,0 +1,60 @@
+"""Per-user SSE connection cap — F6/D mitigation."""
+import pytest
+from fastapi import HTTPException
+
+from decnet.web import sse_limits
+
+
+@pytest.mark.asyncio
+async def test_slot_under_cap_enters_cleanly(monkeypatch):
+    monkeypatch.setattr(sse_limits, "_MAX_PER_USER", 2)
+    sse_limits._reset_for_tests()
+
+    async with sse_limits.sse_connection_slot("u1"):
+        assert sse_limits.current_count("u1") == 1
+        async with sse_limits.sse_connection_slot("u1"):
+            assert sse_limits.current_count("u1") == 2
+
+    assert sse_limits.current_count("u1") == 0
+
+
+@pytest.mark.asyncio
+async def test_slot_over_cap_raises_429(monkeypatch):
+    monkeypatch.setattr(sse_limits, "_MAX_PER_USER", 1)
+    sse_limits._reset_for_tests()
+
+    async with sse_limits.sse_connection_slot("u1"):
+        with pytest.raises(HTTPException) as exc:
+            async with sse_limits.sse_connection_slot("u1"):
+                pass
+        assert exc.value.status_code == 429
+
+    # Released after the outer context exits → fresh slot works.
+    async with sse_limits.sse_connection_slot("u1"):
+        assert sse_limits.current_count("u1") == 1
+
+
+@pytest.mark.asyncio
+async def test_slot_per_user_isolation(monkeypatch):
+    monkeypatch.setattr(sse_limits, "_MAX_PER_USER", 1)
+    sse_limits._reset_for_tests()
+
+    async with sse_limits.sse_connection_slot("u1"):
+        async with sse_limits.sse_connection_slot("u2"):
+            assert sse_limits.current_count("u1") == 1
+            assert sse_limits.current_count("u2") == 1
+
+
+@pytest.mark.asyncio
+async def test_slot_decrements_on_exception(monkeypatch):
+    monkeypatch.setattr(sse_limits, "_MAX_PER_USER", 1)
+    sse_limits._reset_for_tests()
+
+    with pytest.raises(ValueError):
+        async with sse_limits.sse_connection_slot("u1"):
+            raise ValueError("boom")
+
+    assert sse_limits.current_count("u1") == 0
+    # Slot is free again after exception path.
+    async with sse_limits.sse_connection_slot("u1"):
+        pass

tests/api/topology/test_events_stream.py

@@ -92,7 +92,7 @@ async def test_events_emits_snapshot_and_live_event(auth_token, _fake_app_bus):
     response = await _ev.api_topology_events(
         topology_id=tid,
         request=_FakeRequest(),  # type: ignore[arg-type]
-        _user={"role": "admin"},
+        user={"role": "admin", "uuid": "00000000-0000-0000-0000-000000000000"},
     )
     gen = response.body_iterator