fix(security): close INFO ASVS findings — secret echo, TLS floor, mandatory tarball SHA, CORS/Content-Type guards, BUG-17

- V7.1.3: env known-insecure-default error no longer echoes the rejected secret value.
- V9.1.4: syslog-over-TLS forwarder + listener pin minimum_version=TLSv1_2.
- V12.1.2: updater tarball SHA-256 verification is now mandatory and fail-closed —
  /update and /update-self reject a missing digest (400), the executor rejects
  missing/mismatched digests before extract/apply. Every push path supplies it.
- V13.1.4: reject a wildcard '*' in DECNET_CORS_ORIGINS at startup.
- V13.1.5: enforce application/json on JSON write endpoints (415 otherwise),
  exempting multipart upload routes.
- BUG-17: SSE error log records the user uuid, not the resume cursor.

Also completes V2.1.7 consistently: the attacker-injectable PYTEST* env bypass is
replaced with explicit DECNET_TESTING=1 in the three remaining sites
(env.validate_public_binding, config logging, mysql url builder).

Tests added for every fix; unanimous adversarial review (no update-outage risk —
all push paths verified to send the digest).

tests/swarm/test_forwarder_resilience.py

@@ -69,6 +69,18 @@ async def _wait_for(pred, timeout: float = 5.0, interval: float = 0.1) -> bool:
 # ----------------------------------------------------------- pure helpers
 
 
+def test_worker_ssl_context_pins_tls12_floor(_pki_env: dict) -> None:
+    """V9.1.4: forwarder client context must set an explicit TLS 1.2 floor."""
+    ctx = fwd.build_worker_ssl_context(_pki_env["worker_dir"])
+    assert ctx.minimum_version == ssl.TLSVersion.TLSv1_2
+
+
+def test_listener_ssl_context_pins_tls12_floor(_pki_env: dict) -> None:
+    """V9.1.4: listener server context must set an explicit TLS 1.2 floor."""
+    ctx = lst.build_listener_ssl_context(_pki_env["ca_dir"])
+    assert ctx.minimum_version == ssl.TLSVersion.TLSv1_2
+
+
 def test_peer_cn_returns_unknown_when_no_ssl_object() -> None:
     assert lst.peer_cn(None) == "unknown"