fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.

tests/correlation/attribution/test_multi_actor_correlator.py

@@ -223,3 +223,62 @@ async def test_independent_dedup_per_identity(
     seen = {c["payload"]["identity_uuid"] for c in captured}
     assert seen == {iuid_a, iuid_b}
     await bus.close()
+
+
+@pytest.mark.anyio
+async def test_rearms_for_sub_threshold_identity_in_candidates(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """BUG-10 regression: seen_now.add() must run AFTER the threshold guard.
+
+    If an identity is returned by the repo with < MULTI_ACTOR_MIN_PRIMITIVES
+    (defensive path) it must NOT be added to seen_now.  That means it stays
+    absent from seen_now → gets removed from last_fired on the stale-rearm
+    sweep → re-fires when primitives climb back above threshold.
+
+    Before fix: seen_now.add() ran before the continue, so the identity
+    was treated as present-and-seen even though it was below threshold,
+    and last_fired was never cleared → no rearm.
+    """
+    bus = FakeBus()
+    await bus.connect()
+    captured: list[dict[str, Any]] = []
+
+    async def cap(_b, t, p, *, event_type=""):
+        captured.append({"topic": t, "payload": p})
+
+    monkeypatch.setattr(_aw, "publish_safely", cap)
+
+    iuid = "test-rearm-uuid"
+
+    class _StubRepo:
+        def __init__(self, entries: list[dict]) -> None:
+            self._entries = entries
+
+        async def list_multi_actor_identities(self) -> list[dict]:
+            return list(self._entries)
+
+    # First tick: identity fires with 2 primitives.
+    repo_above = _StubRepo([
+        {"identity_uuid": iuid, "primitives": ["prim.a", "prim.b"]},
+    ])
+    last_fired: dict[str, Any] = {}
+    await _aw.tick_multi_actor(bus, repo_above, last_fired)  # type: ignore[arg-type]
+    assert len(captured) == 1
+    assert iuid in last_fired
+
+    # Second tick: identity returned by repo but with only 1 primitive
+    # (sub-threshold defensive path).  last_fired[iuid] must be cleared.
+    repo_below = _StubRepo([
+        {"identity_uuid": iuid, "primitives": ["prim.a"]},
+    ])
+    await _aw.tick_multi_actor(bus, repo_below, last_fired)  # type: ignore[arg-type]
+    assert iuid not in last_fired, (
+        "sub-threshold identity must be removed from last_fired so it re-arms"
+    )
+
+    # Third tick: identity climbs back above threshold — must re-fire.
+    await _aw.tick_multi_actor(bus, repo_above, last_fired)  # type: ignore[arg-type]
+    assert len(captured) == 2, "identity must re-fire after rearm"
+
+    await bus.close()