fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.

decnet/web/router/webhooks/api_manage_webhooks.py

@@ -7,7 +7,7 @@ import secrets
 from datetime import datetime, timezone
 from typing import Any, cast
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Request
 
 from decnet.bus import topics as _topics
 from decnet.bus.app import get_app_bus
@@ -22,13 +22,28 @@ from decnet.web.db.models import (
 )
 from decnet.web.db.models.webhooks import _row_to_response_dict
 from decnet.web.dependencies import repo, require_admin
+from decnet.web.limiter import limiter
 from decnet.webhook.enums import merge_patterns
+from decnet.webhook.ssrf import WebhookDestinationError, validate_webhook_url
 
 log = get_logger("api.webhooks")
 
 router = APIRouter()
 
 
+def _validate_url_or_422(url: str) -> None:
+    """Reject a webhook URL that resolves to a forbidden destination.
+
+    Runs the same SSRF guard the delivery path enforces, but at
+    registration time so a bad URL is surfaced to the operator as a clear
+    422 instead of being silently dropped on every delivery attempt.
+    """
+    try:
+        validate_webhook_url(url)
+    except WebhookDestinationError as e:
+        raise HTTPException(status_code=422, detail=str(e)) from e
+
+
 async def _notify_subscriptions_changed() -> None:
     """Publish `system.webhook.subscriptions_changed` on the bus.
 
@@ -60,10 +75,14 @@ def _row_to_response(row: dict[str, Any]) -> WebhookResponse:
     responses={
         400: {"description": "At least one of simple_events / topic_patterns required"},
         409: {"description": "Name already in use"},
+        422: {"description": "URL resolves to a forbidden (internal) destination"},
+        429: {"description": "Too many webhook-create requests — retry after the window resets"},
     },
 )
+@limiter.limit("20/minute")
 @_traced("api.webhook.create")
 async def api_create_webhook(
+    request: Request,
     req: WebhookCreateRequest,
     admin: dict = Depends(require_admin),
 ) -> WebhookCreateResponse:
@@ -78,6 +97,8 @@ async def api_create_webhook(
     if existing:
         raise HTTPException(status_code=409, detail="Webhook name already exists")
 
+    _validate_url_or_422(str(req.url))
+
     # Auto-generate a URL-safe secret if the caller didn't provide one.
     # 32 bytes of os-entropy is the same ballpark as a CSRF token.
     secret = req.secret or secrets.token_urlsafe(32)
@@ -146,6 +167,7 @@ async def api_get_webhook(
         400: {"description": "Empty or invalid patch"},
         404: {"description": "Webhook not found"},
         409: {"description": "Name already in use"},
+        422: {"description": "URL resolves to a forbidden (internal) destination"},
     },
 )
 @_traced("api.webhook.update")
@@ -167,6 +189,7 @@ async def api_update_webhook(
         patch["name"] = req.name
 
     if req.url is not None:
+        _validate_url_or_422(str(req.url))
         patch["url"] = str(req.url)
 
     if req.secret is not None: