fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.

decnet/web/dependencies.py

@@ -37,6 +37,17 @@ oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
 # Per-request user lookup was the hidden tax behind every authed endpoint —
 # SELECT users WHERE uuid=? ran once per call, serializing through aiosqlite.
 # 10s TTL is well below JWT expiry and we invalidate on all user writes.
+#
+# REVOCATION-WINDOW NOTE (V2.1.8, accept-risk): these per-process caches bound
+# how long a *stale* user/username/denylist row can be served. Single-process:
+# a role downgrade or password change is reflected within ~_USER_TTL (10s) even
+# if the in-process invalidate_user_cache hook is missed; the local write path
+# invalidates immediately. Multi-worker (gunicorn/uvicorn --workers>1) gives
+# each worker its own cache, so the worst-case cross-worker staleness is also
+# ~10s and would need a shared cache (Redis) to collapse to zero. This staleness
+# is NOT the authoritative revocation control: JWT bulk-revoke via the user's
+# tokens_valid_from cutoff (enforced in _resolve_token) is the hard cutoff and
+# is unaffected by these caches.
 _USER_TTL = 10.0
 _user_cache: dict[str, tuple[Optional[dict[str, Any]], float]] = {}
 _user_cache_lock: Optional[asyncio.Lock] = None
@@ -389,6 +400,11 @@ def require_stream_role(*allowed_roles: str):
         header_token = _bearer_from_header(request)
         if header_token:
             _user_uuid, user = await _resolve_token(header_token)
+            if user.get("must_change_password"):
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Password change required before accessing this resource",
+                )
             if user["role"] not in allowed_roles:
                 raise HTTPException(
                     status_code=status.HTTP_403_FORBIDDEN,