fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.

decnet/web/router/health/api_get_health.py

@@ -62,8 +62,10 @@ async def _check_database_cached() -> ComponentHealth:
         try:
             await repo.get_total_logs()
             _db_component = ComponentHealth(status="ok")
-        except Exception as exc:
-            _db_component = ComponentHealth(status="failing", detail=str(exc))
+        except Exception:
+            import logging as _logging
+            _logging.getLogger("api.get_health").exception("database liveness check failed")
+            _db_component = ComponentHealth(status="failing", detail="database unavailable")
         _db_last_check = time.monotonic()
         return _db_component
 
@@ -95,7 +97,7 @@ async def get_health(user: dict = Depends(require_viewer)) -> Any:
                 detail = "cancelled"
             else:
                 exc = task.exception()
-                detail = f"exited: {exc}" if exc else "exited unexpectedly"
+                detail = "exited unexpectedly" if not exc else "exited with error"
             components[name] = ComponentHealth(status="failing", detail=detail)
         else:
             components[name] = ComponentHealth(status="ok")
@@ -112,10 +114,12 @@ async def get_health(user: dict = Depends(require_viewer)) -> Any:
             await asyncio.to_thread(_docker_client.ping)  # type: ignore[union-attr]
             _docker_healthy = True
             _docker_detail = ""
-        except Exception as exc:
+        except Exception:
+            import logging as _logging
+            _logging.getLogger("api.get_health").exception("docker daemon ping failed")
             _docker_client = None
             _docker_healthy = False
-            _docker_detail = str(exc)
+            _docker_detail = "docker daemon unavailable"
         _docker_last_check = now
 
     if _docker_healthy: