fix: harden startup security — require strong secrets, restrict CORS

- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
  required env vars; startup raises ValueError if unset or set to a
  known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
  http://localhost:8080) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
  and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
  collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
  from env instead of hardcoded "admin"

Closes DEBT-001, DEBT-002, DEBT-004

tests/conftest.py

@@ -0,0 +1,11 @@
+"""
+Shared pytest configuration.
+
+Env vars required by decnet.env must be set here, at module level, before
+any test file imports decnet.* — pytest loads conftest.py first.
+"""
+import os
+
+os.environ.setdefault("DECNET_JWT_SECRET", "test-jwt-secret-not-for-production-use")
+os.environ.setdefault("DECNET_ADMIN_PASSWORD", "test-admin-password-1234!")
+os.environ.setdefault("DECNET_ADMIN_USER", "admin")

tests/test_web_api.py

@@ -6,6 +6,7 @@ from fastapi.testclient import TestClient
 
 from decnet.web.api import app
 from decnet.web.dependencies import repo
+from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
 
 
 @pytest.fixture(autouse=True)
@@ -29,7 +30,7 @@ def test_login_success() -> None:
         # The TestClient context manager triggers startup/shutdown events
         response = client.post(
             "/api/v1/auth/login", 
-            json={"username": "admin", "password": "admin"}
+            json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}
         )
         assert response.status_code == 200
         data = response.json()
@@ -57,7 +58,7 @@ def test_login_failure() -> None:
 def test_change_password() -> None:
     with TestClient(app) as client:
         # First login to get token
-        login_resp = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
+        login_resp = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
         token = login_resp.json()["access_token"]
 
         # Try changing password with wrong old password
@@ -71,17 +72,17 @@ def test_change_password() -> None:
         # Change password successfully
         resp2 = client.post(
             "/api/v1/auth/change-password",
-            json={"old_password": "admin", "new_password": "new_secure_password"},
+            json={"old_password": DECNET_ADMIN_PASSWORD, "new_password": "new_secure_password"},
             headers={"Authorization": f"Bearer {token}"}
         )
         assert resp2.status_code == 200
 
         # Verify old password no longer works
-        resp3 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
+        resp3 = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
         assert resp3.status_code == 401
 
         # Verify new password works and must_change_password is False
-        resp4 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "new_secure_password"})
+        resp4 = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": "new_secure_password"})
         assert resp4.status_code == 200
         assert resp4.json()["must_change_password"] is False
 
@@ -96,7 +97,7 @@ def test_get_logs_success() -> None:
     with TestClient(app) as client:
         login_response = client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "admin"}
+            json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}
         )
         token = login_response.json()["access_token"]
         
@@ -119,7 +120,7 @@ def test_get_stats_success() -> None:
     with TestClient(app) as client:
         login_response = client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "admin"}
+            json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}
         )
         token = login_response.json()["access_token"]
         

tests/test_web_api_fuzz.py

@@ -8,6 +8,7 @@ import httpx
 
 from decnet.web.api import app
 from decnet.web.dependencies import repo
+from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
 
 # Re-use setup from test_web_api
 @pytest.fixture(scope="function", autouse=True)
@@ -53,7 +54,7 @@ def test_fuzz_change_password(old_password: str, new_password: str) -> None:
     """Fuzz the change-password endpoint with random strings."""
     with TestClient(app) as _client:
         # Get valid token first
-        _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
+        _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
         _token: str = _login_resp.json()["access_token"]
         
         _payload: dict[str, str] = {"old_password": old_password, "new_password": new_password}
@@ -76,7 +77,7 @@ def test_fuzz_change_password(old_password: str, new_password: str) -> None:
 def test_fuzz_get_logs(limit: int, offset: int, search: Optional[str]) -> None:
     """Fuzz the logs pagination and search."""
     with TestClient(app) as _client:
-        _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
+        _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
         _token: str = _login_resp.json()["access_token"]
         
         _params: dict[str, Any] = {"limit": limit, "offset": offset}