fix(security): close INFO ASVS findings — secret echo, TLS floor, mandatory tarball SHA, CORS/Content-Type guards, BUG-17

- V7.1.3: env known-insecure-default error no longer echoes the rejected secret value.
- V9.1.4: syslog-over-TLS forwarder + listener pin minimum_version=TLSv1_2.
- V12.1.2: updater tarball SHA-256 verification is now mandatory and fail-closed —
  /update and /update-self reject a missing digest (400), the executor rejects
  missing/mismatched digests before extract/apply. Every push path supplies it.
- V13.1.4: reject a wildcard '*' in DECNET_CORS_ORIGINS at startup.
- V13.1.5: enforce application/json on JSON write endpoints (415 otherwise),
  exempting multipart upload routes.
- BUG-17: SSE error log records the user uuid, not the resume cursor.

Also completes V2.1.7 consistently: the attacker-injectable PYTEST* env bypass is
replaced with explicit DECNET_TESTING=1 in the three remaining sites
(env.validate_public_binding, config logging, mysql url builder).

Tests added for every fix; unanimous adversarial review (no update-outage risk —
all push paths verified to send the digest).

decnet/config.py

@@ -79,9 +79,12 @@ def _configure_logging(dev: bool) -> None:
     stream_handler.setFormatter(fmt)
     root.addHandler(stream_handler)
 
-    # Skip the file handler during pytest runs to avoid polluting the test cwd.
-    _in_pytest = any(k.startswith("PYTEST") for k in os.environ)
-    if not _in_pytest:
+    # Skip the file handler during test runs to avoid polluting the test cwd.
+    # Gated on the explicit, non-attacker-injectable DECNET_TESTING=1 flag
+    # (set by the test harness) rather than the attacker-controllable PYTEST*
+    # namespace (V2.1.7).
+    _in_test = os.environ.get("DECNET_TESTING") == "1"
+    if not _in_test:
         _log_path = os.environ.get("DECNET_SYSTEM_LOGS", "decnet.system.log")
         # Never let file-handler attach failure kill the process. The
         # stream handler above is already installed, so losing the file