fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.

decnet/web/router/swarm_updates/api_list_host_releases.py

@@ -39,13 +39,14 @@ async def _probe_host(host: dict[str, Any]) -> HostReleaseInfo:
     try:
         async with UpdaterClient(host=host) as u:
             body = await u.health()
-    except Exception as exc:  # noqa: BLE001
+    except Exception:  # noqa: BLE001
+        log.warning("swarm_updates.list probe unreachable host=%s", host.get("name"), exc_info=True)
         return HostReleaseInfo(
             host_uuid=host["uuid"],
             host_name=host["name"],
             address=host["address"],
             reachable=False,
-            detail=f"{type(exc).__name__}: {exc}",
+            detail="host unreachable",
         )
     releases = body.get("releases") or []
     current, previous = _extract_shas(releases)

decnet/web/router/swarm_updates/api_push_update.py

@@ -96,10 +96,14 @@ async def _push_one(
                     # Connection drop on update-self is expected and not an error.
                     self_ok = _is_expected_connection_drop(exc)
                     if not self_ok:
+                        log.warning(
+                            "swarm_updates.push self-update transport failure host=%s: %s",
+                            host.get("name"), exc,
+                        )
                         return PushUpdateResult(
                             host_uuid=host["uuid"], host_name=host["name"],
                             status="self-failed", http_status=r.status_code, sha=sha,
-                            detail=f"agent updated OK but self-update failed: {exc}",
+                            detail="agent updated OK but self-update transport failure",
                             stderr=stderr,
                         )
                 status = "self-updated" if self_ok else "self-failed"
@@ -110,12 +114,12 @@ async def _push_one(
                 detail=body.get("error") or body.get("probe") if isinstance(body, dict) else None,
                 stderr=stderr,
             )
-    except Exception as exc:  # noqa: BLE001
+    except Exception:  # noqa: BLE001
         log.exception("swarm_updates.push failed host=%s", host.get("name"))
         return PushUpdateResult(
             host_uuid=host["uuid"], host_name=host["name"],
             status="failed",
-            detail=f"{type(exc).__name__}: {exc}",
+            detail="transport failure",
         )
 
 

decnet/web/router/swarm_updates/api_push_update_self.py

@@ -56,12 +56,12 @@ async def _push_self_one(host: dict[str, Any], tarball: bytes, sha: str) -> Push
             http_status=http_status, sha=sha,
             detail=detail, stderr=stderr,
         )
-    except Exception as exc:  # noqa: BLE001
+    except Exception:  # noqa: BLE001
         log.exception("swarm_updates.push_self failed host=%s", host.get("name"))
         return PushUpdateResult(
             host_uuid=host["uuid"], host_name=host["name"],
             status="self-failed",
-            detail=f"{type(exc).__name__}: {exc}",
+            detail="transport failure",
         )
 
 

decnet/web/router/swarm_updates/api_rollback_host.py

@@ -49,12 +49,12 @@ async def api_rollback_host(
     try:
         async with UpdaterClient(host=host) as u:
             r = await u.rollback()
-    except Exception as exc:  # noqa: BLE001
+    except Exception:  # noqa: BLE001
         log.exception("swarm_updates.rollback transport failure host=%s", host["name"])
         return RollbackResponse(
             host_uuid=host["uuid"], host_name=host["name"],
             status="failed",
-            detail=f"{type(exc).__name__}: {exc}",
+            detail="transport failure",
         )
 
     body = r.json() if r.content else {}