fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.

tests/api/auth/test_bulk_revocation.py

@@ -18,7 +18,14 @@ import pytest
 from sqlalchemy import select
 
 from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
-from decnet.web.auth import ALGORITHM, SECRET_KEY, get_password_hash
+from decnet.web.auth import (
+    ALGORITHM,
+    JWT_AUDIENCE,
+    JWT_ISSUER,
+    JWT_TYPE,
+    SECRET_KEY,
+    get_password_hash,
+)
 from decnet.web.db.models import User
 from decnet.web.dependencies import repo
 
@@ -54,7 +61,17 @@ def _aged_token(uuid: str, *, seconds_old: int = 30) -> str:
     change sets to 'now', so it is deterministically revoked once bumped."""
     now = int(time.time())
     return jwt.encode(
-        {"uuid": uuid, "jti": f"aged-{uuid}", "iat": now - seconds_old, "exp": now + 3600},
+        {
+            "uuid": uuid,
+            "jti": f"aged-{uuid}",
+            "iat": now - seconds_old,
+            "exp": now + 3600,
+            # The verifier now pins issuer/audience/type (V2.1.1 / V3.1.2); a
+            # manually-encoded token must carry them or decode rejects it.
+            "iss": JWT_ISSUER,
+            "aud": JWT_AUDIENCE,
+            "typ": JWT_TYPE,
+        },
         SECRET_KEY, algorithm=ALGORITHM,
     )
 

tests/api/auth/test_change_pass.py

@@ -4,6 +4,7 @@ import pytest
 from hypothesis import given, strategies as st, settings
 import httpx
 from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
+from decnet.web.limiter import limiter as _limiter
 from ..conftest import _FUZZ_SETTINGS
 
 @pytest.mark.anyio
@@ -57,6 +58,46 @@ async def test_fuzz_change_password(client: httpx.AsyncClient, old_password: str
             json=_payload,
             headers={"Authorization": f"Bearer {_token}"}
         )
-        assert _response.status_code in (200, 401, 422)
+        # 400: schema-guard middleware rejects bad length/shape (e.g. a
+        # new_password below the 12-char floor) before the handler runs.
+        assert _response.status_code in (200, 400, 401, 422)
     except (UnicodeEncodeError, json.JSONDecodeError):
         pass
+
+
+# ─── Rate-limit enforcement ─────────────────────────────────────────────────
+
+
+@pytest.mark.anyio
+async def test_change_password_rate_limit_trips_after_5(client: httpx.AsyncClient) -> None:
+    """5 change-password attempts from one IP → 6th returns 429."""
+    login_resp = await client.post(
+        "/api/v1/auth/login",
+        json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD},
+    )
+    token = login_resp.json()["access_token"]
+
+    for i in range(5):
+        r = await client.post(
+            "/api/v1/auth/change-password",
+            json={"old_password": f"wrong-{i}", "new_password": "does-not-matter-x!"},
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        # 401 (bad old password) or 429 if the limiter fires — either is fine
+        assert r.status_code in (401, 429), f"attempt {i}: got {r.status_code}"
+
+    # The 6th attempt must trip the rate limiter (limit is 5/minute).
+    r = await client.post(
+        "/api/v1/auth/change-password",
+        json={"old_password": "still-wrong", "new_password": "does-not-matter-x!"},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    assert r.status_code == 429
+
+
+@pytest.mark.anyio
+async def test_change_password_route_has_rate_limit_decorator() -> None:
+    """Contract test: change_password handler must be wrapped by slowapi."""
+    from decnet.web.router.auth import api_change_pass as _mod
+
+    assert getattr(_mod.change_password, "__wrapped__", None) is not None

tests/api/auth/test_sse_ticket.py

@@ -0,0 +1,111 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""SSE stream tickets (V3.1.1) + change-password min-length (V2.1.3).
+
+The ticket store is a security boundary: single-use, 60s, fail-closed. These
+cover the mint→redeem happy path, single-use reuse rejection, expiry rejection,
+the endpoint round-trip, and the V3.1.1 invariant that a raw JWT in the SSE
+query string is no longer accepted.
+"""
+from __future__ import annotations
+
+import httpx
+import pytest
+from fastapi import HTTPException
+
+from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
+from decnet.web.auth import create_access_token
+from decnet.web import dependencies as deps
+
+
+# ── ticket store unit tests ──────────────────────────────────────────────────
+
+def test_mint_then_redeem_happy_path() -> None:
+    deps._reset_sse_tickets()
+    ticket = deps.mint_sse_ticket("user-1", "viewer")
+    identity = deps._redeem_sse_ticket(ticket)
+    assert identity == {"uuid": "user-1", "role": "viewer"}
+
+
+def test_ticket_is_single_use() -> None:
+    deps._reset_sse_tickets()
+    ticket = deps.mint_sse_ticket("user-1", "admin")
+    deps._redeem_sse_ticket(ticket)  # first redeem consumes it
+    with pytest.raises(HTTPException) as exc:
+        deps._redeem_sse_ticket(ticket)
+    assert exc.value.status_code == 401
+
+
+def test_unknown_ticket_rejected() -> None:
+    deps._reset_sse_tickets()
+    with pytest.raises(HTTPException) as exc:
+        deps._redeem_sse_ticket("never-minted")
+    assert exc.value.status_code == 401
+
+
+def test_expired_ticket_rejected() -> None:
+    deps._reset_sse_tickets()
+    # Mint, then jam the entry's expiry into the past so redeem fails closed.
+    ticket = deps.mint_sse_ticket("user-1", "viewer")
+    exp, identity = deps._sse_tickets[ticket]
+    deps._sse_tickets[ticket] = (exp - deps._SSE_TICKET_TTL - 1, identity)
+    with pytest.raises(HTTPException) as exc:
+        deps._redeem_sse_ticket(ticket)
+    assert exc.value.status_code == 401
+
+
+# ── endpoint round-trip ──────────────────────────────────────────────────────
+
+@pytest.mark.anyio
+async def test_sse_ticket_endpoint_requires_auth(client: httpx.AsyncClient) -> None:
+    resp = await client.post("/api/v1/auth/sse-ticket")
+    assert resp.status_code == 401
+
+
+@pytest.mark.anyio
+async def test_sse_ticket_endpoint_mints_and_redeems(
+    client: httpx.AsyncClient, auth_token: str
+) -> None:
+    deps._reset_sse_tickets()
+    resp = await client.post(
+        "/api/v1/auth/sse-ticket",
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert resp.status_code == 200, resp.text
+    body = resp.json()
+    assert body["expires_in"] == 60
+    ticket = body["ticket"]
+    assert ticket and "." not in ticket  # opaque, not a JWT
+    # The minted ticket redeems to a bound identity exactly once.
+    identity = deps._redeem_sse_ticket(ticket)
+    assert "uuid" in identity and identity["role"] in ("admin", "viewer")
+
+
+def test_raw_jwt_in_sse_query_rejected() -> None:
+    """V3.1.1: a raw JWT is not a valid opaque ticket — _redeem_sse_ticket rejects
+    any token that wasn't minted by mint_sse_ticket (unknown key → 401)."""
+    deps._reset_sse_tickets()
+    token = create_access_token({"uuid": "leaked", "jti": "x"})
+    with pytest.raises(HTTPException) as exc:
+        deps._redeem_sse_ticket(token)
+    assert exc.value.status_code == 401
+
+
+# ── V2.1.3 change-password min length ────────────────────────────────────────
+
+@pytest.mark.anyio
+async def test_change_password_below_min_length_rejected(
+    client: httpx.AsyncClient,
+) -> None:
+    resp = await client.post("/api/v1/auth/login", json={
+        "username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD,
+    })
+    token = resp.json()["access_token"]
+    # 11 chars — one below the 12-char floor. The request-validation layer
+    # rejects the bad length before any auth/logic runs; DECNET's schema-guard
+    # middleware surfaces length violations as 400 (not the raw 422).
+    r = await client.post(
+        "/api/v1/auth/change-password",
+        json={"old_password": DECNET_ADMIN_PASSWORD, "new_password": "short123456"},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    assert r.status_code in (400, 422), r.text