fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.

decnet/web/router/deckies/api_tarpit.py

@@ -50,7 +50,8 @@ def _apply_tarpit(veth: str, ports: list[int], delay_ms: int) -> None:
     for args in steps:
         r = _tc(*args)
         if r.returncode != 0:
-            raise RuntimeError(r.stderr.strip())
+            log.warning("tarpit tc apply failed veth=%s cmd=%s stderr=%r", veth, args[0], r.stderr.strip())
+            raise RuntimeError("tarpit command failed")
 
     for port in ports:
         r = _tc(
@@ -60,7 +61,8 @@ def _apply_tarpit(veth: str, ports: list[int], delay_ms: int) -> None:
             "flowid", "1:1",
         )
         if r.returncode != 0:
-            raise RuntimeError(r.stderr.strip())
+            log.warning("tarpit tc filter failed veth=%s port=%d stderr=%r", veth, port, r.stderr.strip())
+            raise RuntimeError("tarpit command failed")
 
 
 def _remove_tarpit(veth: str) -> bool:
@@ -69,7 +71,8 @@ def _remove_tarpit(veth: str) -> bool:
     if r.returncode != 0:
         if "Cannot find" in r.stderr or "No such" in r.stderr:
             return False
-        raise RuntimeError(r.stderr.strip())
+        log.warning("tarpit tc remove failed veth=%s stderr=%r", veth, r.stderr.strip())
+        raise RuntimeError("tarpit command failed")
     return True
 
 
@@ -126,7 +129,8 @@ async def api_enable_tarpit(
     try:
         await asyncio.to_thread(_apply_tarpit, veth, req.ports, req.delay_ms)
     except RuntimeError as exc:
-        raise HTTPException(status_code=409, detail=str(exc)) from exc
+        log.warning("tarpit enable failed decky=%s: %s", decky_name, exc, exc_info=True)
+        raise HTTPException(status_code=409, detail="tarpit command failed") from exc
 
     ports_json = json.dumps(req.ports)
     await repo.set_tarpit_rule({
@@ -212,7 +216,8 @@ async def api_disable_tarpit(
     try:
         await asyncio.to_thread(_remove_tarpit, veth)
     except RuntimeError as exc:
-        raise HTTPException(status_code=409, detail=str(exc)) from exc
+        log.warning("tarpit disable failed decky=%s: %s", decky_name, exc, exc_info=True)
+        raise HTTPException(status_code=409, detail="tarpit command failed") from exc
 
     await repo.delete_tarpit_rule(decky_name)
     await repo.add_log({