fix(security): close INFO ASVS findings — secret echo, TLS floor, mandatory tarball SHA, CORS/Content-Type guards, BUG-17

- V7.1.3: env known-insecure-default error no longer echoes the rejected secret value.
- V9.1.4: syslog-over-TLS forwarder + listener pin minimum_version=TLSv1_2.
- V12.1.2: updater tarball SHA-256 verification is now mandatory and fail-closed —
  /update and /update-self reject a missing digest (400), the executor rejects
  missing/mismatched digests before extract/apply. Every push path supplies it.
- V13.1.4: reject a wildcard '*' in DECNET_CORS_ORIGINS at startup.
- V13.1.5: enforce application/json on JSON write endpoints (415 otherwise),
  exempting multipart upload routes.
- BUG-17: SSE error log records the user uuid, not the resume cursor.

Also completes V2.1.7 consistently: the attacker-injectable PYTEST* env bypass is
replaced with explicit DECNET_TESTING=1 in the three remaining sites
(env.validate_public_binding, config logging, mysql url builder).

Tests added for every fix; unanimous adversarial review (no update-outage risk —
all push paths verified to send the digest).

decnet/updater/app.py

@@ -165,8 +165,8 @@ async def update(
     try:
         return _exec.run_update(
             body, sha=sha or None,
+            expected_sha256=sha256,
             install_dir=_Config.install_dir, agent_dir=_Config.agent_dir,
-            expected_sha256=sha256 or None,
         )
     except _exec.UpdateError as exc:
         status = 409 if exc.rolled_back else 500
@@ -196,7 +196,7 @@ async def update_self(
         return _exec.run_update_self(
             body, sha=sha or None,
             updater_install_dir=_Config.updater_install_dir,
-            expected_sha256=sha256 or None,
+            expected_sha256=sha256,
         )
     except _exec.UpdateError as exc:
         raise HTTPException(