fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.

tests/api/swarm_updates/test_list_host_releases.py

@@ -34,7 +34,10 @@ async def test_admin_lists_reachable_and_unreachable_hosts(
     assert hosts["alpha"]["current_sha"] == "aaaa111"
     assert hosts["alpha"]["previous_sha"] == "0000000"
     assert hosts["beta"]["reachable"] is False
-    assert "TLS handshake" in hosts["beta"]["detail"]
+    # V7.1.2: internal exception text must not leak to the response body.
+    assert "TLS handshake" not in hosts["beta"]["detail"]
+    assert "RuntimeError" not in hosts["beta"]["detail"]
+    assert hosts["beta"]["detail"] == "host unreachable"
 
 
 @pytest.mark.anyio

tests/api/swarm_updates/test_push_update.py

@@ -2,8 +2,28 @@
 """POST /api/v1/swarm-updates/push — happy paths, rollback, validation."""
 from __future__ import annotations
 
+import re
+
 import pytest
 
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+_INTERNAL_LEAK_RE = re.compile(
+    r"Errno|ConnectionRefused|TimeoutError|OSError|RuntimeError|Exception|"
+    r"Traceback|\w+Error:\s|\w+Exception:\s|File \"|line \d+",
+    re.IGNORECASE,
+)
+
+def _assert_no_internal_detail(detail: str | None) -> None:
+    """Assert the detail string does not contain any internal exception noise."""
+    if detail is None:
+        return
+    assert not _INTERNAL_LEAK_RE.search(detail), (
+        f"V7.1.2: internal exception detail leaked to client: {detail!r}"
+    )
+
 
 @pytest.mark.anyio
 async def test_push_to_single_host_success(client, auth_token, add_host, fake_updater):
@@ -62,6 +82,49 @@ async def test_push_all_aggregates_mixed_results(client, auth_token, add_host, f
     assert statuses == {"alpha": "updated", "beta": "failed"}
 
 
+@pytest.mark.anyio
+async def test_transport_exception_detail_does_not_leak_internals(
+    client, auth_token, add_host, fake_updater,
+):
+    """V7.1.2: a raw transport exception must never appear in the response body."""
+    await add_host("alpha", "10.0.0.1")
+    fake_updater["client"].update_responses = {
+        "alpha": OSError("[Errno 111] Connection refused"),
+    }
+
+    resp = await client.post(
+        "/api/v1/swarm-updates/push",
+        headers={"Authorization": f"Bearer {auth_token}"},
+        json={"all": True},
+    )
+    assert resp.status_code == 200
+    result = resp.json()["results"][0]
+    assert result["status"] == "failed"
+    _assert_no_internal_detail(result.get("detail"))
+
+
+@pytest.mark.anyio
+async def test_include_self_failure_detail_does_not_leak_internals(
+    client, auth_token, add_host, fake_updater,
+):
+    """V7.1.2: include_self transport failure must not expose exception class/msg."""
+    await add_host("alpha", "10.0.0.1")
+    fake_updater["client"].update_self_responses = {
+        "alpha": OSError("[Errno 104] Connection reset by peer"),
+    }
+
+    resp = await client.post(
+        "/api/v1/swarm-updates/push",
+        headers={"Authorization": f"Bearer {auth_token}"},
+        json={"all": True, "include_self": True},
+    )
+    assert resp.status_code == 200
+    result = resp.json()["results"][0]
+    # status is self-failed (non-expected drop)
+    assert result["status"] == "self-failed"
+    _assert_no_internal_detail(result.get("detail"))
+
+
 @pytest.mark.anyio
 async def test_tarball_built_once_across_multi_host_push(
     client, auth_token, add_host, fake_updater, monkeypatch,

tests/api/swarm_updates/test_rollback_host.py

@@ -50,7 +50,10 @@ async def test_rollback_transport_failure_reported(client, auth_token, add_host,
     assert resp.status_code == 200
     body = resp.json()
     assert body["status"] == "failed"
-    assert "TLS handshake" in body["detail"]
+    # V7.1.2: internal exception text must not leak to the response body.
+    assert "TLS handshake" not in body["detail"]
+    assert "RuntimeError" not in body["detail"]
+    assert body["detail"] == "transport failure"
 
 
 @pytest.mark.anyio