fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.

decnet/web/router/swarm_mgmt/api_enroll_bundle.py

@@ -34,6 +34,7 @@ from decnet.swarm.bundle_builder import build_tarball, render_bootstrap
 from decnet.web.db.models.swarm import EnrollBundleRequest, EnrollBundleResponse
 from decnet.web.db.repository import BaseRepository
 from decnet.web.dependencies import get_repo, require_admin
+from decnet.web.limiter import limiter
 
 log = get_logger("swarm_mgmt.enroll_bundle")
 
@@ -117,8 +118,10 @@ async def _lookup_live(token: str) -> _Bundle:
         403: {"description": "Insufficient permissions"},
         409: {"description": "A worker with this name is already enrolled"},
         422: {"description": "Request body validation error"},
+        429: {"description": "Too many enroll-bundle requests — retry after the window resets"},
     },
 )
+@limiter.limit("10/minute")
 async def create_enroll_bundle(
     req: EnrollBundleRequest,
     request: Request,
@@ -251,6 +254,14 @@ async def get_payload(
     # The agent's first connect-back — its source IP is the reachable address
     # the master will later use to probe it. Backfill the SwarmHost row here
     # so the operator sees the real address instead of an empty placeholder.
+    #
+    # PROXY TRUST WARNING: `request.client.host` is the TCP peer's IP.
+    # If this endpoint sits behind a TCP-terminating reverse proxy (nginx,
+    # HAProxy, etc.) the recorded address will be the proxy's IP, not the
+    # agent's. Either bind the API directly on the network reachable by
+    # agents, or configure the proxy to preserve the original source IP
+    # (e.g. PROXY Protocol on a loopback listener, *not* X-Forwarded-For
+    # which is trivially spoofable). See THREAT_MODEL.md §DA-08.
     client_host = request.client.host if request.client else ""
     if client_host:
         try: