fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.

decnet/web/db/models/auth.py

@@ -3,10 +3,18 @@
 from datetime import datetime, timezone
 from typing import List, Literal, Optional
 
-from pydantic import BaseModel, Field as PydanticField
+from pydantic import BaseModel, Field as PydanticField, field_validator
 from sqlmodel import Field, SQLModel
 
 
+def _reject_over_72_bytes(v: str) -> str:
+    """bcrypt silently truncates at 72 bytes; reject instead to avoid
+    collision/confusion between passwords that share a 72-byte prefix."""
+    if len(v.encode("utf-8")) > 72:
+        raise ValueError("password must not exceed 72 UTF-8 bytes (bcrypt limit)")
+    return v
+
+
 class User(SQLModel, table=True):
     __tablename__ = "users"
     uuid: str = Field(primary_key=True)
@@ -55,6 +63,11 @@ class ChangePasswordRequest(BaseModel):
     # floor a seeded admin could clear must_change_password with a 1-char secret.
     new_password: str = PydanticField(..., min_length=12, max_length=72)
 
+    @field_validator("old_password", "new_password", mode="after")
+    @classmethod
+    def _check_byte_limit(cls, v: str) -> str:
+        return _reject_over_72_bytes(v)
+
 
 class SSETicketResponse(BaseModel):
     """Single-use, short-lived opaque ticket the dashboard exchanges its header
@@ -68,16 +81,26 @@ class SSETicketResponse(BaseModel):
 
 class CreateUserRequest(BaseModel):
     username: str = PydanticField(..., min_length=1, max_length=64)
-    password: str = PydanticField(..., min_length=8, max_length=72)
+    password: str = PydanticField(..., min_length=12, max_length=72)
     role: Literal["admin", "viewer"] = "viewer"
 
+    @field_validator("password", mode="after")
+    @classmethod
+    def _check_byte_limit(cls, v: str) -> str:
+        return _reject_over_72_bytes(v)
+
 
 class UpdateUserRoleRequest(BaseModel):
     role: Literal["admin", "viewer"]
 
 
 class ResetUserPasswordRequest(BaseModel):
-    new_password: str = PydanticField(..., min_length=8, max_length=72)
+    new_password: str = PydanticField(..., min_length=12, max_length=72)
+
+    @field_validator("new_password", mode="after")
+    @classmethod
+    def _check_byte_limit(cls, v: str) -> str:
+        return _reject_over_72_bytes(v)
 
 
 class DeploymentLimitRequest(BaseModel):

decnet/web/db/models/logs.py

@@ -67,6 +67,16 @@ class Credential(SQLModel, table=True):
     __table_args__ = (
         Index("ix_credentials_secret_service", "secret_sha256", "service"),
         Index("ix_credentials_principal_service", "principal", "service"),
+        # Dedup constraint: same (attacker_ip, decky, service, secret_kind,
+        # secret_sha256, principal_key) → one row.  ``principal_key`` is
+        # the non-null canonical form of ``principal`` (empty string when
+        # principal is NULL) so the constraint is UNIQUE-safe under SQLite's
+        # NULL-distinct behaviour and MySQL's standard UNIQUE semantics.
+        UniqueConstraint(
+            "attacker_ip", "decky_name", "service",
+            "secret_kind", "secret_sha256", "principal_key",
+            name="uq_credentials_dedup",
+        ),
     )
     id: Optional[int] = Field(default=None, primary_key=True)
     # Keyed by attacker IP (not attackers.uuid) on the write path to
@@ -81,6 +91,11 @@ class Credential(SQLModel, table=True):
     decky_name: str = Field(index=True)
     service: str = Field(index=True)
     principal: Optional[str] = Field(default=None, index=True, max_length=256)
+    # Non-null canonical form of ``principal`` used in ``uq_credentials_dedup``.
+    # Empty string when ``principal`` is NULL so the UNIQUE constraint behaves
+    # correctly under SQLite's NULL-distinct semantics (same pattern as
+    # ``CredentialReuse.principal_key``).
+    principal_key: str = Field(default="", max_length=256)
     # Discriminator for what `secret_b64` actually contains. Default
     # ``"plaintext"`` — a recoverable password the attacker sent on the
     # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds: