fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.

decnet/correlation/attribution_worker.py

@@ -344,11 +344,11 @@ async def tick_multi_actor(
     for entry in candidates:
         identity_uuid = str(entry["identity_uuid"])
         primitives: list[str] = sorted(entry.get("primitives") or [])
-        seen_now.add(identity_uuid)
         if len(primitives) < _T.MULTI_ACTOR_MIN_PRIMITIVES:
             # Repo already filters to >= 2 today; defensive against
             # future schema drift.
             continue
+        seen_now.add(identity_uuid)
         signature = frozenset(primitives)
         if last_fired.get(identity_uuid) == signature:
             continue

decnet/correlation/fingerprint_rotation.py

@@ -139,13 +139,20 @@ def record_fingerprint(
         "ts": ts.isoformat(),
     }
 
-    if publish_fn is not None:
-        publish_fn(_ROTATED_EVENT_TYPE, payload)
-    if syslog_fn is not None:
-        syslog_fn(_ROTATED_EVENT_TYPE, payload)
-
     session.commit()
 
+    try:
+        if publish_fn is not None:
+            publish_fn(_ROTATED_EVENT_TYPE, payload)
+        if syslog_fn is not None:
+            syslog_fn(_ROTATED_EVENT_TYPE, payload)
+    except Exception:  # noqa: BLE001
+        import logging as _logging
+        _logging.getLogger(__name__).warning(
+            "fingerprint_rotation: post-commit emit failed (state already durable)",
+            exc_info=True,
+        )
+
     return RotationOutcome(
         kind="rotated",
         old_hash=old_hash,

decnet/correlation/parser.py

@@ -19,7 +19,7 @@ from __future__ import annotations
 
 import re
 from dataclasses import dataclass, field
-from datetime import datetime
+from datetime import datetime, timezone
 from typing import Literal
 
 # RFC 5424 line structure
@@ -159,6 +159,8 @@ def parse_line(line: str) -> LogEvent | None:
         timestamp = datetime.fromisoformat(ts_raw)
     except ValueError:
         return None
+    if timestamp.tzinfo is None:
+        timestamp = timestamp.replace(tzinfo=timezone.utc)
 
     fields = _parse_sd_params(sd_rest)
     if sd_rest.startswith("-"):