fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16

Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.

tests/intel/test_worker.py

@@ -19,7 +19,7 @@ from typing import Optional
 import pytest
 
 from decnet.intel.base import IntelProvider, IntelResult
-from decnet.intel.worker import run_intel_loop, _aggregate
+from decnet.intel.worker import run_intel_loop, _aggregate, _enrich_one
 from decnet.web.db.factory import get_repository
 
 
@@ -206,6 +206,54 @@ async def test_provider_error_does_not_poison_row(repo):
     assert row["aggregate_verdict"] == "benign"
 
 
+@pytest.mark.anyio
+async def test_unexpected_provider_raise_does_not_lose_other_results():
+    """BUG-15 regression: an unexpected exception from one provider must
+    not cancel sibling providers or swallow their results.
+
+    Before the fix ``asyncio.gather(..., return_exceptions=False)`` let an
+    unexpected raise propagate immediately, cancelling all sibling tasks
+    and losing their results for the whole IP batch.
+
+    After the fix ``return_exceptions=True`` is used; exception results are
+    filtered out and logged, while valid :class:`IntelResult` objects from
+    other providers are processed normally.
+    """
+
+    class _RaisingProvider(IntelProvider):
+        """Simulates an unexpected (non-contractual) exception."""
+        concurrency = 1
+        min_dispatch_interval_s = 0.0
+        name = "exploding"
+
+        async def lookup(self, ip: str) -> IntelResult:
+            raise RuntimeError("unexpected boom")
+
+    good = _FakeProvider(
+        "greynoise",
+        verdict="benign",
+        column_updates={
+            "greynoise_classification": "benign",
+            "greynoise_raw": {},
+            "greynoise_queried_at": datetime.now(timezone.utc),
+        },
+    )
+    bad = _RaisingProvider()
+
+    row = await _enrich_one(
+        attacker_uuid="test-uuid",
+        ip="10.0.0.1",
+        providers=[good, bad],
+        ttl_hours=24,
+    )
+
+    # The good provider's data must be present despite the bad one raising.
+    assert row["greynoise_classification"] == "benign"
+    assert row["aggregate_verdict"] == "benign"
+    # The bad provider did not poison the row or raise to the caller.
+    assert good.calls == ["10.0.0.1"]
+
+
 @pytest.mark.anyio
 async def test_intel_enriched_event_published_to_bus(repo, monkeypatch):
     """End-to-end: worker dispatches providers + publishes the event."""