fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.

tests/api/webhooks/test_crud.py

@@ -9,6 +9,80 @@ import pytest
 PATH = "/api/v1/webhooks/"
 
 
+@pytest.fixture(autouse=True)
+def _public_dns(monkeypatch: pytest.MonkeyPatch):
+    """Resolve hostnames to a public IP so the registration-time SSRF guard
+    passes for the functional CRUD cases without touching the network.
+
+    IP-literal URLs (e.g. the loopback-rejection test) don't hit DNS, so
+    this stub doesn't mask them.
+    """
+    import socket
+
+    from decnet.webhook import ssrf
+
+    def fake_getaddrinfo(host, port, *a, **k):
+        return [(socket.AF_INET, socket.SOCK_STREAM, 6, "", ("93.184.216.34", port))]
+
+    monkeypatch.setattr(ssrf.socket, "getaddrinfo", fake_getaddrinfo)
+
+
+@pytest.mark.asyncio
+async def test_create_rejects_loopback_url(
+    client: httpx.AsyncClient, auth_token: str
+):
+    res = await client.post(
+        PATH,
+        json={
+            "name": "wh-ssrf",
+            "url": "http://127.0.0.1:8080/inbound",
+            "topic_patterns": ["system.>"],
+        },
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert res.status_code == 422, res.text
+    assert "forbidden" in res.text.lower()
+
+
+@pytest.mark.asyncio
+async def test_create_rejects_metadata_url(
+    client: httpx.AsyncClient, auth_token: str
+):
+    res = await client.post(
+        PATH,
+        json={
+            "name": "wh-meta",
+            "url": "http://169.254.169.254/latest/meta-data/",
+            "topic_patterns": ["system.>"],
+        },
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert res.status_code == 422, res.text
+
+
+@pytest.mark.asyncio
+async def test_update_rejects_loopback_url(
+    client: httpx.AsyncClient, auth_token: str
+):
+    create = await client.post(
+        PATH,
+        json={
+            "name": "wh-upd-ssrf",
+            "url": "https://good.example/x",
+            "topic_patterns": ["system.>"],
+        },
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert create.status_code == 201, create.text
+    uuid = create.json()["uuid"]
+    res = await client.patch(
+        f"{PATH}{uuid}",
+        json={"url": "http://10.0.0.1/x"},
+        headers={"Authorization": f"Bearer {auth_token}"},
+    )
+    assert res.status_code == 422, res.text
+
+
 @pytest.mark.asyncio
 async def test_create_requires_patterns(client: httpx.AsyncClient, auth_token: str):
     res = await client.post(