fix: harden startup security — require strong secrets, restrict CORS

- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
  required env vars; startup raises ValueError if unset or set to a
  known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
  http://localhost:8080) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
  and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
  collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
  from env instead of hardcoded "admin"

Closes DEBT-001, DEBT-002, DEBT-004

decnet/env.py

@@ -9,15 +9,38 @@ _ROOT: Path = Path(__file__).parent.parent.absolute()
 load_dotenv(_ROOT / ".env.local")
 load_dotenv(_ROOT / ".env")
 
+
+def _require_env(name: str) -> str:
+    """Return the env var value or raise at startup if it is unset or a known-bad default."""
+    _KNOWN_BAD = {"fallback-secret-key-change-me", "admin", "secret", "password", "changeme"}
+    value = os.environ.get(name)
+    if not value:
+        raise ValueError(
+            f"Required environment variable '{name}' is not set. "
+            f"Set it in .env.local or export it before starting DECNET."
+        )
+    if value.lower() in _KNOWN_BAD:
+        raise ValueError(
+            f"Environment variable '{name}' is set to an insecure default ('{value}'). "
+            f"Choose a strong, unique value before starting DECNET."
+        )
+    return value
+
+
 # API Options
 DECNET_API_HOST: str = os.environ.get("DECNET_API_HOST", "0.0.0.0")  # nosec B104
 DECNET_API_PORT: int = int(os.environ.get("DECNET_API_PORT", "8000"))
-DECNET_JWT_SECRET: str = os.environ.get("DECNET_JWT_SECRET", "fallback-secret-key-change-me")
+DECNET_JWT_SECRET: str = _require_env("DECNET_JWT_SECRET")
 DECNET_INGEST_LOG_FILE: str | None = os.environ.get("DECNET_INGEST_LOG_FILE", "/var/log/decnet/decnet.log")
 
 # Web Dashboard Options
 DECNET_WEB_HOST: str = os.environ.get("DECNET_WEB_HOST", "0.0.0.0")  # nosec B104
 DECNET_WEB_PORT: int = int(os.environ.get("DECNET_WEB_PORT", "8080"))
 DECNET_ADMIN_USER: str = os.environ.get("DECNET_ADMIN_USER", "admin")
-DECNET_ADMIN_PASSWORD: str = os.environ.get("DECNET_ADMIN_PASSWORD", "admin")
+DECNET_ADMIN_PASSWORD: str = _require_env("DECNET_ADMIN_PASSWORD")
 DECNET_DEVELOPER: bool = os.environ.get("DECNET_DEVELOPER", "False").lower() == "true"
+
+# CORS — comma-separated list of allowed origins for the web dashboard API.
+# Example: DECNET_CORS_ORIGINS=http://localhost:8080,https://dashboard.example.com
+_cors_raw: str = os.environ.get("DECNET_CORS_ORIGINS", "http://localhost:8080")
+DECNET_CORS_ORIGINS: list[str] = [o.strip() for o in _cors_raw.split(",") if o.strip()]

decnet/web/api.py

@@ -5,7 +5,7 @@ from typing import Any, AsyncGenerator, Optional
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
-from decnet.env import DECNET_DEVELOPER
+from decnet.env import DECNET_CORS_ORIGINS, DECNET_DEVELOPER
 from decnet.web.dependencies import repo
 from decnet.web.ingester import log_ingestion_worker
 from decnet.web.router import api_router
@@ -47,10 +47,10 @@ app: FastAPI = FastAPI(
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=DECNET_CORS_ORIGINS,
     allow_credentials=False,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_headers=["Authorization", "Content-Type"],
 )
 
 # Include the modular API router